Testing web applications for bugs using OWASP ZAP

Websites and other web applications are for many companies the main communication tools towards their customers. These customer-facing applications provide access to valuable data and system assets, often outside the corporate perimeter. Bugs in these applications can cause companies a lot of damage, both in data loss and reputation. This is why organizations needs to be confident that security is guaranteed.

Organizations like The Open Web Application Security Project (OWASP) focus on improving the security of web applications. Since 2003, OWASP publicizes every three years the most important security related problems in software applications. This popular security resource consists of the most serious web application bugs in the industry. These order of the problems is defined by multiplying the ‘Likelihood’ against the ‘Impact’. In 2013 the Top 10 looked like this:

owasp_top10
Picture 1: OWASP Top 10

Besides offering this information, OWASP also has tools that help developers and testers to find these bugs. One of the tools is the OWASP ZAP project. ZAP provides all the essentials for web application testing including; Intercepting Proxy, Active and Passive Scanners, Spider, Report Generation, Brute Force, and Fuzzing. Scanning your web application is quite easy due to the clear interface of OWASP ZAP. By scanning applications during the development cycle, developers and testers can focus on preventing bugs and fixing them before the sofware goes live.

zap
Picture 2: Scan policy (what do you want to include)

A basic test for security related bugs using ZAP would consist of:

  • Configuring your browser to proxy via ZAP
  • Exploring the web application manually
  • Using the Spider to find ‘hidden’ content
  • Running the Active Scanner to find bugs

With the results of the Active Scanner, the end user can print out a report with the bugs found. The ZAP tool provides a reporting feature which allows you to generate reports that help you to identify the bugs that may have been found during the scans. The issues are presented to the user with an overview of their impact and often with a technical solution for the problem. These results are very valuable and can be directly used by developers and testers to improve the software.

alerts
Picture 3: Results found by the Active Scanner

ZAP works with predefined test cases to find issues. However, logical bugs, misconfigurations, etc., aren’t always detected by these scanners. So only running the scans on your web application doesn’t give the end user the guarantee that all possible issues are found. For a more reliable result a manual test is also required.

OWASP ZAP is a free tool and is included in the latest version of the free Kali Linux. If you would like to know more about OWASP, please refer to the following URLs:

Share