Why Waiting for a Pentest Is Too Late

How developers can use OWASP ZAP for security testing

Patrick Kalkman

7 min read
Why Waiting for a Pentest Is Too Late
Continuously security testing on your web application, Image by DCStudio on Freepik

As web applications become more complex, the risk of security vulnerabilities increases. Often, these vulnerabilities result from mistakes made by developers during the development process.

Even a tiny error in the code can create a significant vulnerability that cybercriminals can exploit. This can lead to data breaches, unauthorized access, and other security incidents impacting a business’s reputation.

To address this risk, many companies rely on periodic penetration testing to identify application vulnerabilities.

Yet, waiting until the end of the development cycle to perform security testing can be costly and time-consuming, as finding and solving vulnerabilities may need significant time and effort.

To lower these risks, developers must incorporate security testing tools into their daily job. For example, by using the OWASP Zed Attack Proxy. OWASP ZAP is an open-source application that can detect vulnerabilities in any web application.

By using ZAP to perform regular security testing, developers can identify and address application vulnerabilities early in development. This reduces the risk of security incidents and minimizes the cost of remediation.

In this article, we’ll explore how you, as a developer, can use OWASP ZAP to perform security tests on your web applications and how to integrate them into your development process.

Installing OWASP ZAP

To get started with OWASP ZAP, follow these three steps:

  1. Download OWASP ZAP: Visit the official website at https://www.zaproxy.org/download/ to download the latest version of OWASP ZAP. Choose the appropriate download for your operating system.
  2. Install OWASP ZAP: After downloading the appropriate file, run the installer and follow the instructions to complete the installation.
  3. Launch OWASP ZAP: Once the installation is complete, launch OWASP ZAP. You will be prompted to select a workspace directory where the application will store its configuration and data. Choose a location and click “OK” to proceed.

Configuring OWASP ZAP

ZAP is a tool used for conducting security testing known as a “proxy,” meaning it acts as an intermediary between your web browser and the websites you visit.

As a security tester, it’s necessary to intercept this communication to test the website for vulnerabilities. ZAP creates a new communication channel, blocking the traffic between your browser and the website and then passing the intercepted traffic on to the website as if it were coming directly from your browser.

Once ZAP has intercepted the traffic, it can be analyzed and modified before being sent to the web server.

Configuring the proxy

To allow ZAP to intercept HTTP communication, you must set it up as a proxy in your web browser, which involves making two changes. First, configure your web browser to redirect all traffic through the ZAP proxy. Secondly, configure the ZAP proxy to listen on a specific port.

Many browser extensions are available to assist with proxy configuration. I use Foxy Proxy in Google Chrome. In the screenshot below, I have added a new proxy row called ZAP that redirects all traffic to http://localhost:8082.

Screenshot of Foxy Proxy for configuring the Chrome browser to use a proxy
Foxy Proxy Basic extension in Chrome to redirect all traffic to http://localhost:8082, image by the author

In ZAP, via the tools -> options menu, go to the Local Servers/Proxies item and configure localhost and port 8082.

Screenshot of the options screen of ZAP to listen on localhost port 8082
Configuring the ZAP proxy to listen op http://localhost:8082, image by the author

When the ZAP proxy is configured correctly, the “sites tree” in ZAP will display a list of the websites you visit.

The sites you visit through your browser will appear under the “sites tree” image by the author.

Configuring ZAP certificate

Once you’ve set up ZAP as a proxy, it intercepts all the traffic between your browser and the server. However, if the communication is encrypted, ZAP won’t be able to read it.

To get around this, you can install a trusted certificate via ZAP and use it to establish a secure channel between ZAP and the server. By doing this, the browser will trust that it’s okay to communicate with the server via this secure channel because ZAP’s certificate is in the trusted chain.

ZAP will receive the encrypted traffic from the browser, decrypt it, manipulate it as needed, re-encrypt it, and forward it to the server with a second certificate.

To generate and install a new certificate in ZAP, follow these steps:

  1. Open ZAP and go to “Tools” -> “Options.”
  2. Select “Network” settings.
  3. Scroll down to find the “Server Certificates” item and click on it.
  4. On the “Server Certificates” screen, you can generate a new certificate by clicking the “Generate” button. It will be automatically installed as a root certificate in your operating system.
  5. Finally, verify that the new certificate is installed and trusted by checking your system’s certificate store.

Here’s a screenshot to help guide you.

Screenshot of the Server Certificates option screen to generate and install a Root CA Certificate
Generating and installing a ROOT CA certificate, image by the author

Depending on your operating system and browser, there may be two additional steps you need to take after generating the certificate:

More than installing the certificate is required if you're using Mac OS. You must also set the trust settings of the installed ROOT CA certificate in the Keychain Access app. This ensures that your system trusts the ZAP-generated certificate.

Screenshot of the Key chain app in Mac OS to Always trust the installed CA certificate
Set the generated ROOT CA certificate to Always Trust image by the author.

If you’re using Firefox, you must import the generated certificate into Firefox because Firefox uses its own certificate store. This ensures that Firefox trusts the ZAP-generated certificate and can establish a secure connection.

With the installation and configuration finished, we are ready to start scanning our first application.

Testing your first web application

!!! One word of caution before you start scanning. Ensure that you have the permission of the site owner or that it is a web application you have developed. You do not want to break a web application accidentally !!!

When using the spider in ZAP to investigate a site, be aware that it will follow all outgoing links, including those that may lead to third-party services not owned or controlled by the site owner. To avoid accidentally interacting with these third-party services, it’s important to exercise caution and be mindful of where the spider is taking you. Always review the links carefully and consider their context before proceeding.

To demonstrate scanning in ZAP, I will be using the OWASP Broken Web Applications (BWA) Project. BWA is a collection of intentionally vulnerable web applications that can be downloaded for free as a Virtual Machine in VMware format. This makes it easy to set up and start scanning for vulnerabilities without needing to configure a complex environment from scratch.

Spidering a website

Before attempting to attack a website, it’s essential to understand its structure and content.

This process is commonly known as “spidering.” In spidering, a tool like OWASP ZAP automatically crawls a website to identify all its pages, content, and functionality.

This is done by sending HTTP requests to the website and following any links or forms on each page to discover new pages.

To perform spidering using OWASP ZAP, you can visit the website in your browser, right-click on the site in ZAP, and select the “spider” option from the menu. This will initiate the spider scan, which will crawl the website and create a map of all its pages and resources.

For example, I used the Damn Vulnerable Web Application (DVWA) web application, part of the OWASP BWA project, to demonstrate spidering and scanning.

Screenshot of OWASP ZAP that shows how to start spidering the DVWA application
Spidering the DVWA application, image by the author

After you have identified a suspicious part of the website, you can choose to attack that part of the website by attacking the website.

Attacking a website

One of the vulnerabilities in the DVWA site is Cross Site Scripting (XSS), in particular, a reflected XSS. I select this page as a starting point and start the attack via ZAP.

A screenshot of the home page of the Damn Vulnerable Web Application (DVWA)
The website of the Damn Vulnerable Web Application (DVWA), image by the author
Screenshot of how to start an attack in OWASP ZAP
Starting an attack in OWASP ZAP image by the author

After a while, ZAP found the reflected XSS and raised an alert.

By examining the details of the alert, you can gain a deeper understanding of the specific vulnerabilities in the web application and take steps to address them, such as modifying the application’s code to fix the vulnerability or adjusting the application’s configuration to prevent similar vulnerabilities in the future.

Screenshot of the list of alerts in OWASP ZAP after scanning
The list of alerts in OWASP ZAP after scanning image by the author

Conclusion

Depending solely on periodic penetration tests to secure your web application may leave you vulnerable to attacks in the interim.

You can identify and remediate vulnerabilities in real time by taking a proactive approach to security with regular scans and implementing security tools such as OWASP ZAP.

Although this article only scratches the surface of what is possible with ZAP, it provides a clear introduction to its capabilities.

Fully integrating security into the development process requires including ZAP scans as a regular part of your workflow.

In my next article, I will provide a more in-depth look at ZAP and demonstrate how to automate ZAP scans using Python, enabling you to seamlessly incorporate security checks into your build and deploy pipelines.

By adopting the right tools and approach, you can help ensure the security of your web applications and protect against potential attacks!

Read more