Pentesters use various tools during an audit to save time and find as many security errors as possible. Some activities can’t be done manually within a reasonable time. An example is the detection of all subpages of a website. There are paid and free tools that allow this to be done. Vulnerability scanners are also created and actively developed. They include solutions that support pentesting.
What are vulnerability scanners?
Vulnerability scanners are tools that automate the process of detecting security vulnerabilities. They include static scanners - SAST, dynamic scanners - DAST, and interactive scanners - IAST. They operate using known and popular patterns that can cause bugs, such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and others. There are many scanners, both paid and free, and each has its own strengths and weaknesses. You can use different solutions to benchmark the tools - the most popular ones are OWASP Benchmark and WAVSEP. The results of these benchmarks can tell you a lot about the suitability of a particular tool. When choosing a scanner, I recommend reading the results of comparisons, analyzing the pros and cons of the available solutions, and making an informed choice.
I will now proceed to give you an overview of how the scanners operate focusing on one of them. It will be OWASP ZAP - Dynamic Application Security Testing (DAST) tool.
What is OWASP ZAP?
ZAP (Zed Attack Proxy) is a free, open source, and multifunctional tool for testing web application security. It features simplicity in installation and operation, making it one of the better choices for those new to this type of software. OWASP ZAP is available for Windows, Linux, and Mac OS.
Key features of the ZAP scanner
ZAP is a 'man-in-the-middle proxy'. This means that it runs behind the browser, but before the audited application. All information exchanged between the browser and the application therefore first passes through ZAP.
Now, let's look at a few selected features of this tool.
Active scanning seeks out potential vulnerabilities using known attacks. It’s worth noting that Active Scan can only find certain vulnerabilities. Errors in application logic cannot be found by any active or automatic vulnerability scan. This is only possible during a manual audit.
ZAP by default scans all HTTP requests and responses sent and received from the application. Passive scanning doesn’t affect their content. In this case, we can additionally add tags or alerts which will inform us about potential errors. This is enabled by default, but - as with most features - it can be configured.
Spider is a crawler, a tool that allows you to discover and map all the links available in the application. The list of discovered links is later saved and can be used to discover additional information about the audited application or for further passive or active scans.
This is a technique that involves sending a lot of incorrect or unexpected data to the tested application. OWASP ZAP allows fuzzing. We can choose one of the built-in payloads, download those provided by the ZAP community and available in add-ons, or create our own ones.
ZAP has add-ons that enhance its capabilities. Add-ons have full access to all features of the main program and can provide really interesting functionality. The list of add-ons is available on the Add-on Marketplace in the add-on management window.
ZAP provides an API that allows other programs to interact with it. It accepts JSON, HTML, and XML formats. ZAP presents a simple page where we can see the functionality of the API. By default, only the machine on which ZAP is running can connect to the API, but you can allow other machines to contact it in the configuration options.
If the application under attack requires authentication, it can be configured. ZAP supports different types of authentication methods. The list includes manual authentication, form-based authentication, JSON or HTTP/NTLM-based authentication, and script-based authentication.
Deeper analysis - sources of knowledge about OWASP ZAP
If you want to learn all about using ZAP, I’ve prepared a list of resources that will help you understand and master every aspect of the tool and allow you to enter the vast community gathered around it.
- User Group - Questions relating to use the scanner.
- Developer Group - Questions relating to the development of the program.
- HUD Group - Questions about ZAP Heads Up Display.
- IRC - This is where you’ll find the contact to ZAP developers on the #zaproxy channel.
- Evangelists - List of people familiar with the ZAP tool who are willing to share their opinions and knowledge about it.
- Issues - If you come across a problem, you can report it here.
- Bug Bounty Program - This is where you can report vulnerabilities.
- Contributing Guide - A guide describing how you can help develop the project.
- Source Code - ZAP source code.
- Crowdin (GUI) - Help with GUI translation.
- Crowdin (Desktop User Guide) - Help with translation of ZAP Desktop User Guide.
There is a lot of educational materials on the Zaproxy.org website. I especially recommend these places:
- The ZAP Blog - News from the world of security and the program itself, and topics related to its community.
- Zap Deep Dive - A series of videos describing various functions of the program.
- ZAPCon 2021 - ZAPCon conference videos with lectures from experts on both the tool and security in general.
- ZAP in Ten - A series of short videos about ZAP.
- ADDO Authentication Workshop - Another collection of materials on ZAP, focusing on aspects related to automation and authentication.
- All in One - Index containing all official materials on ZAP.
OWASP ZAP tool – summary
Application security testing, supported by tools that automate this process, is the way to detect the largest number of errors on the audited website. Some steps are too time-consuming to be performed manually. The pentesting community has created free tools that save time. It’s worth using them. Moreover, time spent learning the program is a good investment, which then allows you to join a community of people interested in application security. ZAP is one of the most popular programs of this type. Additionally, it’s free and open source, so everyone can contribute to its development.
I use this tool, for example, when checking the security of applications in Drupal. If you need help auditing this system, get to know our Drupal support team.