Introduction to security testing and Penetration testing tool ZAP

English

Services
- Digitalization consulting We offer advice on digital projects, providing solutions for business processes, technology, and implementation.
- UI / UX Design Our in-house experts design applications with beautiful UI/UX, attributing to the key success of your software projects.
- Development We excel in developing scalable software solutions with high quality standards.
- Testing/QA Success of your project hinges on its quality, and our team of quality engineers excels in both manual and automated testing.
- IT Services To ensure your software runs seamlessly 24/7, our technical team monitors and maintains a reliable infrastructure.
Solutions
- E-Commerce We build modern ecommerce shops that offer customers convenience and reliability.
- Mobile Apps Our team is specialized in Native and Hybrid app developments for your business needs.
- Business Applications We develop mission critical business applications for a wide variety of verticals.
- AI & Data Science We offer AI and Data Science services to unlock insights and drive innovation in diverse industries by harnessing the full potential of the data.
- Websites We handcraft amazing websites resulting in a solid online presence that boost your brand value.
Remote Teams
Technology
References
Company
- About PITS A snapshot about PITS, our history, values and team is always interesting to know.
- Initiatives Our digital initiatives span developing our own products, projects, and investing in startups over the years.
- Jobs PITS is a long-standing great place to work. Explore our openings and join us.
- Contact Connect with our nearby office for a face-to-face discussion about your projects over a coffee
Insights
- Case Studies Let our collection of insightful case studies guide you on the path to success.
- White paper PITS Whitepapers are carefully prepared for developers as well as for customers on specific topics.
- Blog Our blog regularly provides you with current and exciting articles on a wide variety of topics from the online world.

What is security testing?

Security testing is a non functional testing process used to determine that the data contained in an information system is secure and protected. Security testing also verifies that only authorized users can login to the system and there is no information leakage. We use a wide range of software, hardware and firewalls like metaspoilt, wireshark, w3af, netsparker, ZED attack proxy (ZAP) etc.

Why do we need security testing?

To gain customer trust
To avoid revenue impact
To avoid website downtime
To reduce cost by securing the application against future attacks

Principles of Security Testing

Authentication: The system should validate that the data used by the system is genuine.
Authorization: Specific users should only be given access to authorized functions.
Confidentiality: Data inside the systemshould be secured from theft.
Integrity: The application data is not altered in course of time.
Non-repudiation: Once data is send or received, the sender or receiver of the information cannot deny it.

Common security threats and techniques

SQL Injection: Malicious SQL statements are used to get critical information from the database by inserting them to the text fields or url. SQL injection can also grant unauthorized access.

For example: If a user gets a database error on submitting single quotes, it means that some query input is executed by the application. Ideally it should be validated and rejected by the application.

Cross site scripting(XSS): Through XSS, attackers can inject client side script into webpages and make the user to click on that link. Any HTML <html> or Script <script> should be rejected by the application.
URL Manipulation: Attackers manipulate the website URL strings to modify the GET method which pass information between client and server. Such modified requests will capture important information from the server. Under such attacks user may also get access to unauthorized pages.
Brute force attack: Using automated software (e.g. Jmeter), we can try out a large combination of username and passwords to get access to the system. A secure system should prevent repeated and frequent login attempts.

ZAP Penetration Testing

ZAP (Zed attack proxy) is an open source penetration testing tool maintained by the Open Web Application Security Project (OWASP) to know the vulnerabilities in web applications. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination.

Using ZAP, we can perform three types of automated scanning;

Passive scanning – Passive scanning spiders your web-app and scans the responses without altering them. Only potential hazards can be detected by passive scanning
Active scanning – By active scanning, we can both scan and attacks the web-application
Fuzzing – Fuzzing allows us to modify the response from the web-app and view the results instantly

How to download and run OWASP ZAP?

Download the tool from the link https://github.com/zaproxy/zaproxy/wiki/Downloads
Session Persisting: Whenever we start ZAP, we will be asked if we want to persist ZAP session. The ZAP sessions are saved to database with a name and location by default. If we do not persist the session, the session files will be automatically deleted on exiting the app.

Set up Proxy in ZAP.

Before setting up proxy in ZAP, don’t forget to clear all active sessions in Firefox browser. After clearing all sessions, go to ZAP tool >> Tools Menu >> Options >> Local Proxy. Change address to 127.0.0.1 and port as 8080.

Now, access the url of the web-application using Firefox browser and when successfully connected, there will be more lines under ‘sites’ and ‘history’ tabs.
Now the attack can be activated by right clicking the HTML folder and clicking ‘activate scan’ under ‘attack’ menu.

Run a Quick Start Test

To run a Quick Start test, Access the Quick Start tab of the Workspace Window and enter the URL in the attack text box. Then click the attack button. ZAP will proceed to crawl the web application with its spider, then passively scan each page it finds. The spider looks through all the responses for the vulnerabilities. Then ZAP will use the active scanner to attack all of the discovered pages, functionality, and parameters.

The security issues found by the ZAP are listed under the alerts tab.

We can see details of each attack and its response by selecting them. More details can be viewed by double clicking on the vulnerability.

Report Generation:

We can generate different types of reports from ZAP tools >> Reports. The most common types of reports generated are HTML report, XML report and Markdown report.

Finally, it should be clearly noted that the scanner detected vulnerabilities and its hazard levels may not correspond with the reality.

REFERENCES:

You must be logged in to post a comment.

Introduction to security testing and Penetration testing tool ZAP

Leave a Reply