Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Zed Attack Proxy Cookbook
Zed Attack Proxy Cookbook

Zed Attack Proxy Cookbook: Hacking tactics, techniques, and procedures for testing web applications and APIs

Arrow left icon
Profile Icon Ryan Soper Profile Icon Nestor Torres Profile Icon Ahmed Almoailu Profile Icon Nestor N Torres
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (7 Ratings)
Paperback Mar 2023 284 pages 1st Edition
eBook
€17.99 €26.99
Paperback
€33.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Ryan Soper Profile Icon Nestor Torres Profile Icon Ahmed Almoailu Profile Icon Nestor N Torres
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (7 Ratings)
Paperback Mar 2023 284 pages 1st Edition
eBook
€17.99 €26.99
Paperback
€33.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€17.99 €26.99
Paperback
€33.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Zed Attack Proxy Cookbook

Navigating the UI

In this chapter, you are going to learn the basics of the ZAP graphical user interface (GUI). This will give you a better understanding of how to navigate the GUI and where to find the configuration settings for use later in the upcoming chapters. We have divided the GUI into four major sections for ease of explaining how to navigate and use the GUI. Each segment will describe a section of the default ZAP GUI configuration.

In this chapter, we will cover the following recipes:

  • Persisting a session
  • Menu bar
  • Toolbar
  • The tree window
  • Workspace window
  • Information window
  • Footer
  • Encode/Decode/Hash dialog
  • Fuzzing with Fuzzer

Technical requirements

For this chapter, you will need to have OWASP ZAP Proxy installed on your computer. You will also need OWASP Juice Shop running on your machine, and you will want to be able to access Juice Shop for the recipes coming up in these chapters.

Persisting a session

In this recipe, we are going to go over how to set your ZAP Proxy session persisting. This is useful when you are working on an assessment over multiple days so you can close ZAP and you won’t lose any information.

Getting ready

To be able to go over this recipe, you will need to have ZAP installed on your computer.

How to do it…

Upon running the ZAP application from your host of choice, a dialog box will pop up asking whether you want to persist the ZAP session. In this dialog box, you will have multiple choices for how to persist the ZAP session and where to store those session files in a local database that can be retrieved later.

There are three options to choose from on how you wish to persist and a checkbox for remembering your choice. The following are your options:

  • Yes, I want to persist this session with name based on the current timestamp: This option saves the session file using the default filename and location.
  • Yes, I want to persist this session but I want to specify the name and location: This option allows you to rename the file and choose the location where the file will be stored.
  • No, I do not want to persist this session at this moment in time: When this option is selected, the file is not stored.
  • Remember my choice and do not ask me again.: This checkbox can be checked along with any of the three preceding options to make it the default choice.

Let’s see what it looks like visually in the following screenshot:

Figure 2.1 – Persisting the sessions

Figure 2.1 – Persisting the sessions

From here, we’ll move on to describing the top menu bar, as well as other menus contained within it, options, and the top-level toolbar that sits under the main menu bar.

How it works…

Persisting a session will allow you to save your work and quickly come back to what’s been captured and is in progress. Basically, this is how you save your work. There may be other times when testing is temporary and there is no need to persist. Other times, persisting may not be an option you want to do at first as capturing a web application will also start capturing out-of-scope content that isn’t saved to the Sites tree or Context.

Menu bar

The menu bar will help the user to understand general settings and navigate the tool to view, configure, and change settings.

Getting ready

To proceed with this recipe, you need to have ZAP installed and running.

How to do it…

The menu bar is located in the top-left corner of the ZAP application. It consists of the File, Edit, View, Analyse, Report, Tools, Import, Online, and Help menus. I will briefly explain the purpose of each menu section shown in Figure 2.2:

Figure 2.2 – The menu bar settings

Figure 2.2 – The menu bar settings

How it works…

We will look at each of the menus in the following list:

  • File: This menu is for managing the ZAP session. In this menu, you can start a session, continue a session, and more.
  • Edit: This menu allows searching requests and responses, finding text, setting Forced User Mode, and managing ZAP’s mode.
  • View: This menu provides display options and a method to manage the tabs.
  • Analyse: This menu contains an option to open Scan Policy Manager, where you can add, modify, import, export, or delete a scanning policy.
  • Report: This menu provides options to generate reports, export messages and responses, export URLs, and compare the current session with a previously saved or imported session.
  • Tools: This menu contains ZAP’s tools and options.
  • Import: This menu provides options to import different types of data files to ZAP.
  • Online: This menu contains ZAP online resources, including ZAP Marketplace, ZAP Frequently Asked Questions, and ZAP Videos.
  • Help: This menu provides resources about ZAP, such as Support Info, Check for Updates, and OWASP ZAP User Guide.

There’s more…

Many more features exist, such as shortcut keys, and can be leveraged to quickly navigate OWASP ZAP. Take advantage of these features to help you work in the tool.

Tip

On a Windows system, using the Alt key will activate a shortcut to the top menu. Once triggered, each option in the menu will have the capital letter underlined, which indicates the key to use in conjunction with Alt. For example, to open File, use Alt + F. To open Help, use Alt + H, and so on. You can then use the arrow keys to move around and the spacebar or Enter to select additional suboptions. On a macOS system, using the Command key will accomplish the same thing.

Toolbar

In this recipe, we are going to go over the ZAP Proxy toolbar and what each section of the toolbar does.

Getting ready

To review this recipe, you will need to have ZAP installed on your computer, and it should be started and running.

How to do it…

Looking at the toolbar from left to right, you will see the mode pulldown, as shown in Figure 2.3, which allows you to change modes in ZAP:

  • Safe Mode will prevent you from performing any dangerous actions against a target.
  • In Protected Mode, you will be able to perform dangerous actions against the application scope.
  • Standard Mode is the mode in which you can do anything you want with no restriction from the tool.
  • The last mode we have is ATTACK Mode. In this mode, you will start scanning for vulnerabilities with any new target added to the scope.
Figure 2.3 – The mode options on the top-level toolbar

Figure 2.3 – The mode options on the top-level toolbar

The next four icons in Figure 2.3 are options that allow you to save, modify, and edit session information from a target.

The last icon in Figure 2.3, the cogwheel, allows you, the user, to change the settings of all the sections of ZAP proxy. This can also be accessed by going to Tools then Options. We will go into more detail later in the next chapters when we start changing and optimizing each section as we perform attacks.

The next set of icons you find in Figure 2.4, from the top-level toolbar going left to right, allows you to change the ZAP proxy theme to eight different built-in templates:

Figure 2.4 – The middle of the top-level toolbar

Figure 2.4 – The middle of the top-level toolbar

The default setting is Flat Light, but you can switch to dark mode with Flat Dark, or use any other visual setting from the drop-down list, as shown in Figure 2.5. Keep in mind, any changes to the way that ZAP proxy looks may alter the locations of other settings within the tool. For this book, we are going to use the default settings throughout:

Figure 2.5 – Choosing a theme

Figure 2.5 – Choosing a theme

As we continue, the next set of icons in the toolbar allows you to view all tabs (tab and lightbulb icon), hide unpinned tabs (tab with red X icon), and show tab icons and hide tab names (tab with a green square and the letter T).

Moving on to the right, the last seven icons allow you to change the ZAP proxy window layout, and they also allow you to expand either the Sites tree window, the Information window, or the Workspace window. For this book, we will be using the default configuration that expands the Information window along the bottom half of ZAP and keeps the Workspace window:

Figure 2.6 – The window layout

Figure 2.6 – The window layout

In the last section of the top-level toolbar (Figure 2.7), you will see the following:

  • Settings (from left to right) that allow you to manage add-on plugins (red/blue/green blocks)
  • Check for plugin updates (lightning bolt with blue arrow)
  • Show/enable fields (lightbulb)
  • Set and customize breakpoints (green/red circle, line/arrow, right arrow, stop sign and red X)
  • Scan Policy Manager (control board)
  • Apply forced user mode (padlock)
  • Enable zest scripting (cassette tape)
  • Open the user guide (blue question mark)
  • Disable/enable the HUD (green radar)
  • Use a preconfigured browser to proxy sites (Firefox logo)
  • Report building (spiral notebook)

Each of these will be discussed in further detail in later chapters.

Figure 2.7 – The last section of the top-level toolbar

Figure 2.7 – The last section of the top-level toolbar

How it works…

The toolbar features the most common tools used in OWASP ZAP and is intended to help users with setting up and getting comfortable, accommodating different user preferences for testing with the tool. Spend time here getting to know and understand the options available to you.

See also

Open the Help menu and navigate to the OWASP ZAP user guide for more information.

Shortcut

Use F1 to quickly open the information guide.

The tree window

In this recipe, we are going to go over the ZAP Proxy tree window and what each section of the tree window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer. It should also be started and running.

How to do it…

In the Sites tree window, ZAP displays the sites that you have accessed and can be tested. ZAP can only attack the sites that are displayed. The sites tree window consists of two tabs: the Sites tab and the Scripts tab (shown once the + sign is selected):

Figure 2.8 – Sites tree

Figure 2.8 – Sites tree

The Sites tab

The Sites tab is where the sites being tested will be displayed. It contains two trees: the Contexts tree and the Sites tree.

The Sites tree is where the tested sites will be listed. ZAP can only attack the sites that are in the sites tree. A unique node will be displayed for sites based on the HTTP request method and the parameter name being used.

In the Contexts tree, you can group URLs together. The best practice is to have a context for each application being tested:

Figure 2.9 – Sites tree

Figure 2.9 – Sites tree

There are also four options that can be used:

  • Red target: Displays only the sites that are in scope
  • Window with green plus sign: Creates a new context
  • Window with white arrow on the left: Imports context
  • Window with white arrow on the right: Exports context

The Scripts tab

Once you click on the + icon (Figure 2.10), a new menu pops open allowing you to select the Scripts tab.

Figure 2.10 – The plus icon

Figure 2.10 – The plus icon

The Scripts tab opens a tree menu with two other optional tabs. The first tab is the Scripts tab, which shows you the scripts that you already have in ZAP, organized by the type of script. The second tab is the Templates tab tree, which contains the templates that can be used to create scripts.

Figure 2.11 – The Scripts tab

Figure 2.11 – The Scripts tab

In addition to the Scripts and Templates tabs, there are three options in the Scripts tree tab:

  • File folder: Used to load scripts from the local file storage
  • Floppy disc: Used to save a script to the local file storage
  • Scroll with +: Used to create a new script

Another prominent feature of ZAP is the Workspace window. In the next recipe, we’ll look deeper into these options.

How it works…

The entire purpose of the tree window is to help testers know what web applications have been captured, in scope or out of scope, and to quickly view the varying paths discovered during enumeration phases or fuzzing directories. It’s important here to start setting your Sites into Contexts for work later so testing is specific to your scope, as well as cutting back on some of the noise that is generated with websites connecting to other resources.

Workspace window

In this recipe, we are going to go over the ZAP Proxy workspace window and what each section of the workspace window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also should have it started and running.

How to do it…

In the workspace section of ZAP proxy, you will be able to view requests and responses as well as start scans. The numbers in the following points correspond with the labels in Figure 2.12:

  • Quick Start (1): Quick Start shows you a window that allows you to choose whether to start an automated scan or use the manual explorer
  • Request and Response tabs (2 and 3): The Request and Response tabs allow you to view the requests and responses from your site sections
  • Break (4): The Break tab allows you to change a request and response stop by ZAP breakpoint
  • Script Console (5): The Script Console tab opens a window that allows you to modify a newly created script
  • Automated Scan (6): The Automated Scan option allows you to start an automated scan on a target
  • Manual Explore (7): The Manual Explore option allows you to launch a browser window with a target that has all the settings set up to proxy a target through ZAP
  • Learn More (8): The Learn More option gives you details about ZAP and provides links that require the internet to get more detailed information
Figure 2.12 – The Workspace window

Figure 2.12 – The Workspace window

How it works…

This window kicks off the entire project and is the main feature presented in OWASP ZAP for testing. Unlike other machine-in-the-middle proxying tools, the assessment is captured using this window, whether automated or manually. The content gets populated from here into the information window. We’ll discuss, in the upcoming section, what information this window contains, other tabs or add-ons, and how these can be configured.

Information window

In this recipe, we are going to go over the ZAP Proxy information window and what each section of the information window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also have it started and running.

How to do it…

The information window contains data about the application being tested. It consists of the History, Search, Alerts, and Output tabs, and other ZAP tools can be added as a tab by using the + icon. The following is a screenshot of the information window:

Figure 2.13 – The information window

Figure 2.13 – The information window

The History tab

In this tab, ZAP displays all the requests that have been made, starting with the first request. This tab contains four options that can be selected, as shown in Figure 2.13:

  • Bullseye (1): The target icon, when selected, shows only the URLs that are in scope.
  • Globe icon (2): The globe icon is for Sites selection. This shows only the URLs that are contained in the Sites of the Tree Window. You can only select one or the other for Scope versus Sites.
  • Funnel icon (3): This allows you to filter requests based on HTTP verb method, HTTP verb code, Tags, Alerts, and/or URL Regex.
  • Export with green arrow (4): This allows you to save the history in CSV format to your host directory of choice.

The Search tab

In this tab, ZAP provides a search mechanism where you can search for regular expressions across all the data or only in URLs, requests, responses, headers, or HTTP fuzz results of the data. The Search tab has eight options. Figure 2.14 showcases the Search tab:

Figure 2.14 – The information window Search tab

Figure 2.14 – The information window Search tab

The icon highlighted in the following screenshot it for searching through only the URLs that are in scope (Contexts – see Figure 2.10). In order to use this feature, a URL in Sites must be added to Contexts first. Once selected, the target icon will light up red versus being grayed out:

Figure 2.15 – The Contexts button

Figure 2.15 – The Contexts button

Scrolling right, the next field that is highlighted in red is the search box input field. This is used to search for content using regular expressions:

Figure 2.16 – The search input field

Figure 2.16 – The search input field

Search parameters are based on specific fields and the choices are displayed in a drop-down menu. In this drop-down menu, you can select whether you would like to search, using regular expressions, all the data or just URLs, requests, responses, headers, or HTTP fuzz results:

Figure 2.17 – The Search drop-down menu

Figure 2.17 – The Search drop-down menu

Next is the Inverse checkbox. When checked, as displayed in Figure 2.18, ZAP will then search for anything that does not contain the regular expression you are searching for:

Figure 2.18 – The Inverse checkbox

Figure 2.18 – The Inverse checkbox

After entering your text using a regular expression, you need to click the Search button with the magnifying glass. When clicked, the search for the regular expression starts. As an alternative, you can also press the Return or Enter key, depending on your keyboard, to start the search:

Figure 2.19 – The Search button

Figure 2.19 – The Search button

Once the search has been completed, you can use the Next or Previous buttons to move the selection to the next or previous item in the search result:

Figure 2.20 – The Next and Previous buttons

Figure 2.20 – The Next and Previous buttons

There is also a field in the Search tab that gives information about the search results. This will show the number of matches, as the name explains, for how many findings matched the searched regular expression:

Figure 2.21 – The Number of matches indicator

Figure 2.21 – The Number of matches indicator

Last, there is an Export button. When clicked, the user will be able to export the search results and save them as a CSV file into the local file storage:

Figure 2.22 – The Export button

Figure 2.22 – The Export button

The Alerts tab

The Alerts tab is separated into two panes, as shown in Figure 2.23. The left-hand pane contains the alerts found by ZAP, and once an alert is selected, the right-hand pane will then show the alert information, as seen in Figure 2.23. The left pane shows all the alerts or issues found during spidering, active or passive scan, and displays each in a tree view format. The alerts are also ranked by severity, starting with highs and moving downward to informational. The Alerts tab also comes with four options that can be selected.

Figure 2.23 – Alerts tab

Figure 2.23 – Alerts tab

The following, corresponding to Figure 2.23, is an explanation of these options:

  • Contexts (1): Used to show alerts from only URLs in scope.
  • Globe (2): Only select alerts from sites contained in the Sites tree window.
  • Pencil (3): Allows a user to edit the attributes of an alert.
  • Broom with color (4): Delete all alerts button. When clicked, this will display a warning to the user asking them to confirm whether this action is OK or to cancel it. Click OK to remove every alert or Cancel to go back.

The plus (+) symbol

The plus icon can be used to add additional tabs to the information window. The tabs are ZAP tools. The tabs that can be added are AJAX Spider, Active Scan, Automation, Breakpoints, Forced Browse, Fuzzer, HTTP Sessions, OAST, Output, Params, Progress, Spider, WebSockets, and Zest Results. Figure 2.24 shows all these options and a description of each follows:

Figure 2.24 – The options of the plug symbol

Figure 2.24 – The options of the plug symbol

The following are explanations of these options:

  • AJAX Spider: This is used to efficiently and effectively crawl Ajax-based web applications. It creates a proxy for ZAP to talk to Crawljax, which is an open source event-driven dynamic crawling tool. It is recommended to use both the native Spider tool and Ajax Spider when testing an Ajax-based web application.
  • Active Scan: This has options to start new scans and see the progress of existing scans. Furthermore, it shows the data of various scans.
  • Automation: This allows you to create scripts for automated testing.
  • Breakpoints: This manages all the breakpoints set in the current session.
  • Forced Browse: In this tab, ZAP allows you to use forced browsing to find directories and files.
  • Fuzzer: In Fuzzer, there are options to start new fuzzing tests and see information about a fuzz test that has already started.
  • HTTP Sessions: In this tab, ZAP displays the HTTP sessions for the selected site.
  • OAST: In this tab, ZAP displays out-of-band messages found.
  • Output: In this tab, ZAP will display error messages found on the application. These errors can be used to report a bug to the ZAP team.
  • Params: In this tab, ZAP displays the parameters and response header fields of a site.
  • Progress: In this tab, ZAP displays the completed or in-progress scanning rules for each host and details for each scanning rule.
  • Spider: The Spider tool is ZAP’s native crawler. In this tab, ZAP displays the unique URIs discovered by the Spider tool during the scan. This tab contains three tabs. The first tab displays the URIs discovered, the second tab displays any added nodes, and the third tab displays any Spider messages.
  • WebSockets: The tab shows all messages from WebSockets connections.
  • Zest Results: This tab will display the result of Zest scans.

How it works…

The Information window is the bread and butter of outcomes from your initial spidering, active or passive scans, fuzzing, or any other add-ons used. This section is where you will want to start paying attention to forming more specific manual attacks and testing the web applications in scope.

There’s more…

There’s a lot of good information to help a tester create good written penetration testing reports by offering references to the OWASP Top 10 or other documents from vendors. This information can be found in the Alerts tab and changes when selecting a specific vulnerability.

Footer

In this recipe, we are going to go over the ZAP Proxy footer section and what each section does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and you also need to have it started and running.

How to do it…

In the footer of ZAP proxy, you have three sections: Alerts, proxy status, and scan status. The Alerts section, as seen in Figure 2.25, gives you a quick view of any findings ZAP might have located on the application being tested.

Figure 2.25 – Alerts

Figure 2.25 – Alerts

Then, we have proxy status, which shows what IP address and port the ZAP proxy is running on:

Figure 2.26 – The Proxy information

Figure 2.26 – The Proxy information

Lastly, we have a current scan status section, which shows what scan is currently running and what ZAP proxy is doing at any point of the scan process.

Figure 2.27 – The Current Scan Activity count

Figure 2.27 – The Current Scan Activity count

How it works…

The footer helps to track quick metrics on scanning and alerting data and is a quick way to ensure your established connection hasn’t changed. Consider highlighting this data when building executive reports, if some statistics are needed for a monthly key performance indicator (KPI) report, or even to help track data for vulnerability management.

In the next couple of recipes, we’ll discuss the Encode/Decode/Hash dialog and Fuzzer. We decided to go over these as many users of another prominent proxying tool are used to using these tabs, which are contained in ZAP in a different way. In order for you to carry out the attacks, we will discuss these in depth next.

Encode/Decode/Hash dialog

In this recipe, we are going to go over how to perform encoding and decoding and hashing in ZAP Proxy.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also have it started and running.

How to do it…

Encoding is the process of converting data from one form to another, whereas decoding is reversing this conversion. ZAP comes built with a feature to aid its users with a quick way to convert and divert data. In addition to this process, and contained within the same setting, is a feature that creates simple hashes of that data. To get started, select from the menu bar at the top tools, then a little over halfway down, select Encode/Decode/Hash.

Tip

For a shortcut hotkey, on a Windows system, press Ctrl + E. On a macOS system, press Command + E.

When the editor opens, the first thing to note is the input field, which you use to enter the text you wish to encode, decode, and hash, determine illegal UTF-8 bytes, or convert to Unicode. Once you enter the desired text, all the fields will automatically be converted for you.

Next, there is a toolbar that offers a few options. These are as follows:

  • Add new tab: Adds a new tab
  • Delete selected tab: Removes the currently selected tab
  • Add output panel: Adds an output panel to the current tab
  • Reset: Resets all the tabs to their default state
Figure 2.28 – The Encode/Decode/Hash dialog box

Figure 2.28 – The Encode/Decode/Hash dialog box

As indicated in the Script drop-down menu in the output panel in Figure 2.29, a user can add new fields for comparing data.

Figure 2.29 – The output panel

Figure 2.29 – The output panel

With your encoded or hashed script, we’ll move on to fuzzing and how to configure different options for optimizing your approach to web application penetration testing.

How it works…

Using this tool can quickly change operational use with wordlists used in fuzzing applications with attack vectors such as cross-site scripting, SQL injection, and so on. The ability to quickly get a list of different values can help in bypassing poorly implemented validation or encoding in web applications.

See also

For a tool with robust operations for encoding, decoding, and hashing strings, check out CyberChef: https://gchq.github.io/CyberChef/.

Fuzzing with Fuzzer

In this recipe, we are going to go over how to use the Fuzzer in ZAP Proxy and walk through how attackers use tools such as ZAP to brute force a password or attempt to gain access via trial and error using dictionary words in hopes of logging in to an application.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also have it started and running. You will also need to run Juice Shop as shown in Chapter 1.

How to do it…

For the unaware, fuzzing is a term referring to a technique/automated process that submits a multitude of invalid or unexpected data points to a target to analyze the results for potentially exploitable bugs. The idea is to fuzz any input using built-in sets of payloads, any optional add-ons, or via custom scripts. In ZAP, this can be achieved in a few ways:

  • Click the green + in the information window after the other add-ons (Alerts, Spider, and so on)
  • Right-click a request in one of the tabs (Sites, History, and so on) and select Attack / Fuzz…
  • Highlight a string in the headers or body of a request tab, right-click, and then select Fuzz…
  • Select Tools / Fuzz… in the menu bar and select the request to fuzz

Tip

The shortcut hotkey is Ctrl + Alt + F.

To get started, once you’re on the information window of the Fuzzer add-on, click New Fuzzer to bring up any currently captured sites (see Figure 2.30) and their requests that come from a Spider scan:

Figure 2.30 – The Fuzzer Select Message window

Figure 2.30 – The Fuzzer Select Message window

Once a request is selected, a new dialog window opens. In this window, you have several tabs to configure the fuzz. We’ll break each down in the following sections.

The Fuzz Locations tab

This is the main tab where you highlight the string of choice to begin fuzzing. To understand the windows you’re looking at, note that the top-left side of the dialog box showcases the header text, while the bottom left shows the body text. The right side of the screen shows the fuzz locations from what was added to the selected string(s) in the header. This location will be noted along with the number of payloads and processors. Furthermore, above the headers, you have a couple of dropdowns for the header and body text, as well as changing how you view the left dialog boxes, and an Edit feature. Edit allows you to modify the text within the header.

Important note

Editing the header string will automatically remove all the fuzzers you added.

To get started, highlight the specific area of the string, and click Add… on the right-hand side. This will open a new Payloads dialog box, and you will want to select Add… again to open another dialog box to select the type. The Type field has the Empty/Null, File (where you’d be adding a file from your host system directory), File Fuzzers (which consists of various payloads, that is, buffer overflow cramming, XSS exploits, director lists, and so on), Json (for JSON inputs), Numberzz (from 0 to 10 in increments of 2), Regex (with a number of payloads), Script, and Strings options:

Figure 2.31 – Payloads | Add Payload

Figure 2.31 – Payloads | Add Payload

Another feature within Payloads is Processors, as you can see in Figure 2.32. This allows you to change and process the current payload into a different type, such as converting it into Base64-encoded format. You can add several types, then select Add… and OK. This is a way to encode, decode, and hash the fuzzing payload prior to starting the fuzzer.

In addition, processors can be applied to either a specific fuzzing payload (outlined in red) or to the entirety of the string selected (outlined in blue) shown in Figure 2.32. There’s also a counter to show how many processors have been applied:

Figure 2.32 – Processors

Figure 2.32 – Processors

Once a processor type has been selected, click Add at the bottom of the dialog box, then click OK. This will add the payloads to Fuzz Locations, as seen in Figure 2.32. Once you have everything entered as desired, select Start Fuzzer in the bottom-right corner. Once fuzzing is complete, the information window will display the results:

Figure 2.33 – Add Processor

Figure 2.33 – Add Processor

From left to right, in Figure 2.34, the results that appear in the information window will showcase the task number, message type, HTTP status (Code), a reason, such as Forbidden or Bad Request, the round trip time (RTT), the size of the response header/response body, the highest alert, the state, and the payloads used. In addition, the results can be exported to a CSV spreadsheet. Last to note is the Progress drop-down menu. This keeps track of every fuzzed string and allows you to switch between the results.

Figure 2.34 – The Fuzzer Information window

Figure 2.34 – The Fuzzer Information window

The Options tab

When starting a new fuzzer, you’ll have an Options tab (Figure 2.35). This tab lets you configure more options for the fuzzer:

Figure 2.35 – Fuzzer Options

Figure 2.35 – Fuzzer Options

These options are as follows:

  • Retries on IO Error: Determines how many retries the fuzzer will do when input/output errors occur.
  • Max. Errors Allowed: This will stop the fuzzer if the number of errors reaches this number.
  • Payload Replacement Strategy: Controls the order for multiple payloads lists repeated. The two options are as follows:
    • Depth First
    • Breadth First
  • Concurrent Scanning Threads per Scan: The number of threads a scan will conduct simultaneously. Increasing this number will speed up the scan but may stress the computer that ZAP is running on or the target.
  • Delay when Fuzzing (in milliseconds): Creates a delay between requests to the target, which helps avoid being blocked or if the target has restrictions against too many requests.
  • Follow Redirects: Will continue fuzzing by following the next request.

The Message Processors tab

The last tab, as shown in Figure 2.36, is the HTTP Message Processors tab, which can access and change the messages being fuzzed, control the process, and interact with the ZAP GUI:

Figure 2.36 – Fuzzer Message Processors

Figure 2.36 – Fuzzer Message Processors

Here are the types of message processors to know about. Keep in mind, a few of these will not work or be available, depending on the type of response seen or whether scripts are already built:

  • Anti-CSRF Token Refresher: Allows a refresh of anti-CSRF tokens in a request but must be detected by ZAP to be used in this processor. Automatically added if an anti-CSRF token is detected.
  • Fuzzer HTTP Processor (Script): Allows you to select enabled scripts if scripts have been added to ZAP.
  • Payload Reflection Detector: This feature will let you know if a payload was found and uses a symbol (yellow sun icon) with the word Reflected to indicate this as well. This process is automatically added.
  • Request Content-Length Updater: Updates or adds the content-length request header with the length of the body. This process is automatically added.
  • Tag Creator: Adds custom tags based on content in the response to the state column in the results.
  • User Message Processor: Fuzz a user. Users must exist to be able to select and add this processor.

Congratulations! You are now armed with an in-depth understanding of all the features, layouts, tabs, trees, and options of ZAP.

How it works…

The processors are ways to add more customization to fuzzing and increase the depth and obfuscation, or help bypass those pesky web application firewalls (WAFs) for an assessment against your target.

There’s more…

Using operating systems such as Kali or Parrot will come with wordlists already installed, and for other ways to generate wordlists, utilize tools such as CeWL, which scrapes words from a targeted web application, or John the Ripper, which comes with options for customizing wordlists.

See also

Check out the GitHub pages for great sources for obtaining already-built wordlists to quickly add to ZAP when it comes to fuzzing.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Master ZAP to protect your systems from different cyber attacks
  • Learn cybersecurity best practices using this step-by-step guide packed with practical examples
  • Implement advanced testing techniques, such as XXE attacks and Java deserialization, on web applications

Description

Maintaining your cybersecurity posture in the ever-changing, fast-paced security landscape requires constant attention and advancements. This book will help you safeguard your organization using the free and open source OWASP Zed Attack Proxy (ZAP) tool, which allows you to test for vulnerabilities and exploits with the same functionality as a licensed tool. Zed Attack Proxy Cookbook contains a vast array of practical recipes to help you set up, configure, and use ZAP to protect your vital systems from various adversaries. If you're interested in cybersecurity or working as a cybersecurity professional, this book will help you master ZAP. You’ll start with an overview of ZAP and understand how to set up a basic lab environment for hands-on activities over the course of the book. As you progress, you'll go through a myriad of step-by-step recipes detailing various types of exploits and vulnerabilities in web applications, along with advanced techniques such as Java deserialization. By the end of this ZAP book, you’ll be able to install and deploy ZAP, conduct basic to advanced web application penetration attacks, use the tool for API testing, deploy an integrated BOAST server, and build ZAP into a continuous integration and continuous delivery (CI/CD) pipeline.

Who is this book for?

This book is for cybersecurity professionals, ethical hackers, application security engineers, DevSecOps engineers, students interested in web security, cybersecurity enthusiasts, and anyone from the open source cybersecurity community looking to gain expertise in ZAP. Familiarity with basic cybersecurity concepts will be helpful to get the most out of this book.

What you will learn

  • Install ZAP on different operating systems or environments
  • Explore how to crawl, passively scan, and actively scan web apps
  • Discover authentication and authorization exploits
  • Conduct client-side testing by examining business logic flaws
  • Use the BOAST server to conduct out-of-band attacks
  • Understand the integration of ZAP into the final stages of a CI/CD pipeline

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Mar 10, 2023
Length: 284 pages
Edition : 1st
Language : English
ISBN-13 : 9781801817332
Category :
Languages :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Mar 10, 2023
Length: 284 pages
Edition : 1st
Language : English
ISBN-13 : 9781801817332
Category :
Languages :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 94.97 108.97 14.00 saved
Practical Threat Detection Engineering
€30.99 €44.99
Attacking and Exploiting Modern Web Applications
€29.99
Zed Attack Proxy Cookbook
€33.99
Total 94.97 108.97 14.00 saved Stars icon
Banner background image

Table of Contents

13 Chapters
Chapter 1: Getting Started with OWASP Zed Attack Proxy Chevron down icon Chevron up icon
Chapter 2: Navigating the UI Chevron down icon Chevron up icon
Chapter 3: Configuring, Crawling, Scanning, and Reporting Chevron down icon Chevron up icon
Chapter 4: Authentication and Authorization Testing Chevron down icon Chevron up icon
Chapter 5: Testing of Session Management Chevron down icon Chevron up icon
Chapter 6: Validating (Data) Inputs – Part 1 Chevron down icon Chevron up icon
Chapter 7: Validating (Data) Inputs – Part 2 Chevron down icon Chevron up icon
Chapter 8: Business Logic Testing Chevron down icon Chevron up icon
Chapter 9: Client-Side Testing Chevron down icon Chevron up icon
Chapter 10: Advanced Attack Techniques Chevron down icon Chevron up icon
Chapter 11: Advanced Adventures with ZAP Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7
(7 Ratings)
5 star 71.4%
4 star 28.6%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Yana May 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I recently had the opportunity to delve into the book "Zed Attack Proxy" and I must say, it's an absolute treasure trove of valuable information. The author's approach to discussing the Zap Proxy Tool is commendable, as they present the content in a clear and concise manner, making it easy for readers to follow along. The book strikes a perfect balance between theory, strategy, and practical tactics, ensuring that both penetration testers and red teamers seeking to perform web application pentesting can benefit from its insights.One of the standout aspects of this book is the author's ability to convey complex ideas in an accessible manner. Despite the highly informative content, the book remains engaging throughout, catering to both seasoned professionals and beginners in the field. Regardless of your level of expertise, you'll find the content easy to understand and apply.Furthermore, the book's emphasis on balancing theory and strategy with practical approaches is truly noteworthy. The tactical approaches discussed in the book are highly valuable for professionals looking to enhance their offensive and defensive security capabilities. The author's expertise shines through, offering readers a wealth of knowledge and techniques to explore.In conclusion, "Zed Attack Proxy" is a remarkable resource for anyone interested in Proxy Tools or cybersecurity. It's filled with tons of good information, presented in a well-structured and accessible format. Whether you are a pentester or red teamer, this book will serve as an essential reference and guide. I highly recommend it to anyone seeking to gain a deeper understanding of Proxy Tools and their implications for the future of cybersecurity.
Amazon Verified review Amazon
Jake Woodhams May 24, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book does a great job at explaining the capabilities of ZAP in-depth while also providing instructions which are easy to follow and friendly to beginners.The book acts as a learning platform by teaching the reader how to perform common tests which can be applied to all web app security testing. This is accomplished by teaching the user how to apply ZAP to web application training resources such as JuiceShop and Portswigger Academy. On the other hand, the book contains detailed instructions on how to operate ZAP and use it more effectively, making it a great resource for both experience and inexperienced testers.If you are looking to begin your journey into web application security testing or want to learn how to use ZAP more effectively, this book is for you.
Amazon Verified review Amazon
Brandon Lachterman May 30, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I am a security professional who uses these tools all the time, and I have to say I consider this one of the finer titles ive experienced. The chapters are concise, simple to understand for beginners, and has plenty for advanced users as well, which is rare to have the best of both worlds.ZAP is such an underrated tool in my opinion, and really gives you a major advantage in your security testing and research. It also is free, which is a huge plus for those just starting out in the field. I find it to be a relief that there is a guide this well written out there, and ill definitely be using this as the teaching guide for all I work with.TL:DR If you are looking to do security research or testing, please check out this fantastic guide on ZAP.
Amazon Verified review Amazon
Joseph M. Rivera May 16, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book was a fantastic overview of OWASP ZAP. The use of well-known and easily-accessible labs makes it easy for a novice to jump in and learn more about the tool. This provides a good alternative to the Portswigger Academy walkthroughs, most of which, understandably, focus on Burp Suite for solutions. Unlike Burp Suite, however, ZAP is free, open-source, and highly extensible.If you are new to Application Security: This book will provide you with a solid foundation of some basics for with an open-source tool with which you can practice at your own pace. After reading this book, following the labs, and reading the authors' thoughts and reflections, you should be well situated for web-based CTF challenges.If you are new to ZAP only: This book will provide a no-nonsense approach to ZAP's basic functionality and where to find further functionalities. It provides a quick way to transition to a free and open-source app, as opposed to a paid one. This knowledge will help you to further develop your skillset and your craft. After reading this, you should be well-equipped to jump right into ZAP's extensions: using, modifying, and writing your own.Highly recommended.
Amazon Verified review Amazon
Ariel Ferdinand Jun 08, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is written with such an amazing flow, it provides the knowledge you need to begin and then continually builds on that throughout the chapters. Having not used ZAP in many years, it helped as a refresher for me, but also provided advanced level information that truly makes the authors of the book best in class. The topics that are covered are those that you will see in the security industry on a daily basis.Whether you are starting out with ZAP for the first time or you are a veteran, these pages can provide you with exactly what you are looking for. I am glad to have a copy handy whenever I may need it.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.