Scanning web application with OWASP ZAP

Hi there!

Days ago I wrote about Kali Linux installation on AWS.

Now let's try and have some scans running with OWASP ZAP ⚡.

Connection

I'm running Kali on AWS so I want to connect to the instance using SSH.

I have the .pem file, so I need to run just few commands.

sudo chmod 400 kali.pem
ssh -i kali.pem ec2-user@your-public-dns

For Windows users there is a good article - Connecting to your Linux instance from Windows using PuTTY

Installation

I expected to have zaproxy preinstalled, but no. So, let's install it. Though I've installed the 2019.4 version of Kali.

Let's run the command and get the zaproxy installed:

sudo apt-get update && sudo apt-get install zaproxy

Hopefully you've completed the installation successfully.

If you run the command zaproxy, you should probably see output like this:

Found Java version 11.0.5
Available memory: 982 MB
Using JVM args: -Xmx245m
0 [main] INFO org.zaproxy.zap.GuiBootstrap  - OWASP ZAP 2.9.0 started 30/05/2020, 14:57:21 with home /home/ec2-user/.ZAP/
2 [main] FATAL org.zaproxy.zap.GuiBootstrap  - ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.
ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.

We're using zap on a headless environment, so let's figure out how to use this tool in command line.

For some reason zaproxy -cmd -help command didn't work for me, so I had to figure out another way to run the tool.

The whereis zaproxy command shows us the following output zaproxy: /usr/bin/zaproxy /usr/share/zaproxy.

We're looking for zap.sh file located at /usr/share/zaproxy directory. Windows users should look for zap.bat file.

You can simply run it with bash /usr/share/zaproxy/zap.sh command.

Making a globally available command zap

If you're too lazy to type as many characters, then you can make an alias zap to /usr/share/zaproxy/zap.sh
To do that, we need to perform few simple steps and edit the .bashrc file.

• Open the .bashrc file using vim or nano - nano ~/.bashrc
• Add the following code to the end of file - alias zap="bash /usr/share/zaproxy/zap.sh"
• Save the file and quit
• Run source ~/.bashrc to apply changes, otherwise you need to log out and log in again
• Run zap -help or zap -version

As you can see I'm using version 2.9.0.

If your output is similar to mine, then we're done here! 🚀

Scan

Now we are ready to execute our first scan. Simply, run the following command:

zap -cmd -quickurl http://example.com -quickprogress -quickout ~/out.xml

Replace the "example.com" with whatever host you want to scan.

Here is my console output:

ec2-user@kali:~$ zap -cmd -quickurl http://example.com -quickprogress -quickout ~/out.xml
Found Java version 11.0.5
Available memory: 982 MB
Using JVM args: -Xmx245m
Accessing URL
Using traditional spider
Active scanning
[====================] 100% 
Attack complete
Writing results to /home/ec2-user/out.xml

So, we just ran an attack on example.com host and got the output in XML format - the out.xml file located in /home/ec2-user directory.

Good start. But there is a one problem - I don't want output to be in XML format. I want PDF!

Add-ons

There are lot of useful add-ons in the ZAP Marketplace. We need the one named "Export Report".

ZAP allows us to install add-ons by their ID. Let's install the add-on:

zap -cmd -addoninstall exportreport

What's next?

In the next post I want to figure out the usage of Export Report add-on.

In the end I want to have scheduled scans running automatically and generating me nice PDF reports.

Have a great day! ☀️