4.3. Vulnerability assessment with OWASP ZAP

 

Introduction

In this lesson, we will explore a more advanced scanner that has many capabilities for scanning web applications. ZAP contains numerous tools for testing web sites, such as a fuzzer, a proxy server, a scanner, and more. Additionally, you can install additional plugins that provide additional scanning and vulnerability detection options and capabilities. In this lesson, we will look at some of the pre-installed automated scanners. These include the Spider, Ajax Spider, Passive Scanner, and Active Scanner.

As we already know, Spider is used to discover the structure of a website by following links from one page to another.

Ajax Spider serves the same purpose as Spider but uses Ajax requests. Many modern web applications use Ajax technology to make asynchronous requests to the server. This means that the page doesn't reload; instead, new content is loaded automatically. For example, when you scroll through your Facebook or VK feed, new posts are loaded automatically, thanks to Ajax. If a website uses this technology, Ajax Spider will help you discover new links and vulnerabilities.

Passive Scanner analyzes intercepted pages for vulnerabilities. The analysis occurs when you use ZAP as a proxy server and manually browse the pages of the website. The scanner doesn't send special requests to the server but listens to the traffic and analyzes the data being transmitted. Typically, Passive Scanner helps identify the presence or absence of specific HTTP headers, their incorrect configuration, and it also analyzes comments and server errors.

As the name suggests, Active Scan actively scans the website by sending special requests to the server. However, its operation can disrupt the server's functionality.

In this lesson, we will scan the Juice Shop application.

The quickest way to start scanning is to open the Quick Start tab, click on Automated Scan, and enter the website's address:

Quick start panel of ZAP

However, I would recommend a different approach.

 

Changing Scanner Settings

First, let's modify the scanner settings. To do this, go to Tools > Options or press Ctrl+Alt+O. This will open a window with settings for all installed options:

ZAP options and settings

In the Active Scan settings, it's a good idea to modify options that affect the scanning intensity:

  • Number of Hosts Scanned Concurrently: This determines the number of hosts scanned simultaneously. It's not recommended to increase this value too much, as it can significantly burden the computer running ZAP. You can leave it at a moderate value.
  • Concurrent Scanning Threads per Host: This controls the number of parallel scanning threads. Increasing this value can speed up scanning but also puts more load on your CPU and memory. I recommend keeping it below 5.
  • Maximum Rule Duration: This sets the maximum time (in minutes) that a scan script or plugin can run for each scan. You can set this to a minimum value (1 minute) to ensure the scanning process doesn't take too long.
  • Delay When Scanning: This introduces delays between scan requests. Values greater than zero increase the overall scanning time but can reduce the load on the scanned target.

If your ZAP is installed on a powerful computer, you can adjust these values to increase scanning speed and intensity. For Kali Linux installed on a virtual platform, the default values are generally acceptable. You can similarly configure parameter values for Ajax Spider and other scanners. In general, the default values are suitable for Kali running on a virtual platform.

 

Exploring the Application and Passive Scanning

Now let's begin with manual exploration of the application. To do this, go to the "Quick Start" tab and click on "Manual Explore." Then, open a web browser where you'll be interacting with the Juice Shop application.

Juice Shop offers features such as user registration, login forms, user reviews, language switching, and more. I recommend thoroughly exploring all these functionalities. This comprehensive exploration helps broaden your search for vulnerabilities.

As you log in as different users and interact with various functionalities, you'll be extending the scope of your vulnerability assessment. Keep in mind that logged-in users often have access to additional options and pages that may need active scanning to identify vulnerabilities.

After you've finished exploring the website, return to ZAP and switch to the "Alerts" tab in the bottom panel. In this tab, you'll see alerts and potential vulnerabilities that have been detected both passively and actively during your manual exploration and scanning activities. Reviewing these alerts is crucial for understanding and addressing any security issues in the application:

The list of vulnerabilities and alerts found in ZAP passive mode

Here, you will see all the discovered vulnerabilities. Each identified vulnerability includes a brief description of the issue and a list of associated URLs where the problem was found. This information is crucial for understanding the nature of the vulnerabilities and their impact on the application's security.

 

Spider/Ajax Spider

Continuing the walkthrough, the next step is to scan the website's structure using the Spider and Ajax Spider tools. Since Juice Shop makes extensive use of Ajax technology, the Ajax Spider tool is essential here.

To proceed, go to the left panel under "Sites," select the website you want to explore, right-click to open the context menu, and then click on the "Attack" option. This will initiate the scanning process using the Spider and Ajax Spider tools:

Options to start ZAP attack

To start, select the "Spider" option. Wait for the Spider scanner to complete its work, and then you can proceed with running the Ajax Spider. I recommend not running both scanners simultaneously. In the bottom right corner, you can see which scanners are currently active:

The viw of currently running scanners in ZAP

When you hover your mouse cursor over the scanner icons, a tooltip with the scanner's name will appear. This tooltip provides a quick way to identify which scanner is currently active or associated with a specific task within OWASP ZAP. This feature helps you keep track of the scanning processes you've initiated.

 

Active scan

Active Scan allows you to perform a more intensive assessment of the target website. Here are the steps you can follow to initiate an Active Scan. In the "Sites" panel, select the URL of the target website. Right-click to open the context menu. Go to "Attack" and then select "Active Scan."

In the Active Scan dialog that appears, make sure to check the "Show Advanced Options" checkbox:

ZAP active scan options

Additional tabs with scanning settings will appear. Open the 'Technology' tab:

Selections of technologies to scan

Here you can choose only the server technologies that were detected during the reconnaissance and information gathering phase of the website. By doing so, you reduce the load on the tested object and shorten the testing time. However, if you are uncertain about a specific technology, you can enable more options. Then, proceed to the 'Policy' tab:

Settings of scan policy

In it, testing policy settings are displayed. By default, there is the Default Policy, but you can create your own policy with custom settings. The policy is divided into 5 categories, each of which contains lists of tested vulnerabilities. Some of them can be disabled.

To manage policy settings, there are 2 important parameters that you can apply to the entire policy or to individual categories and subcategories.

Alert Threshold - this parameter regulates the likelihood of including specific vulnerabilities in the report. There are 4 options available: Off, Low, Medium, High. 'Off' means that testing for the selected category is disabled. 'Low' includes a large number of vulnerabilities in the report, but many of them may be false positives. 'High' includes fewer vulnerabilities in the report, but they are more likely to be true positives.

Attack Strength - the intensity of testing, where 'Low' is low intensity, and 'Insane' is the highest.

For testing Juice Shop, I would recommend using the 'Low' value for the Attack Strength parameter. Apply this value to the entire policy:

Settings for Low strength of attack

Click on Start Scan, and the active testing process will begin. The entire process will be displayed in the program's bottom panel.

 

Reporting

To generate a report, go to the top panel and select Report > Generate Report. The following window will open:

Reporting options in ZAP

Change its title and filename as desired, and then in the Site field, select the desired website. The Report Directory field shows the folder where the report file will be saved.

In the Template tab, you can choose the desired report format and style, and in the Filter tab, filter vulnerabilities by risk level and likelihood of truth. Then click on Generate Report.