Vulnerability scanning for web-application(odoo) using Zed Attack Proxy(ZAP)

Today we are going to see how to test an web-application using OWASP ZAP. It is one of the best scanner that you can find on internet and its an opensource project , so you can modify the application as of your needs.One of the advantage of using ZED over VEGA(a vulnerability scanning tool) is you can generate report for the testing that you have done . check out the top 10 OWASP vulnerability in the following link

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 

In this tutorial i will be using kali linux which comes with per-installed ZAP tool.

***If you are using any other Linux operating system the download link is below

https://github.com/zaproxy/zaproxy/wiki/Downloads

Download the zip folder and extract.

Now open your terminal and navigate to the folder where you have extracted.

Open the file zap.sh file using the following command

./zap.sh

   In kali linux search for word "zed" and open the application

search zap
zap-opening

Step 1: Select the configuration for your zap application .I am selecting the default option and click "Start".

zap-welcome

Step 2 : Now lets generate the CA certificate for the browser to route the request and response (Proxy) through ZAP.

  • Go to Tools -->>Options
zed -cert-menuselection

Step 3 : Select the sub menu named "Dynamic SSL Certificates" from the option menu.

Then click Generate to generate your own SSL cert and save the cert in your pc.

zap-ca cert
save ssl cert

Step 4 : Lets open the browser (i am using firefox)and configuring it to zed.

  • settings-->>preference

Type "Network proxy" in the search-menu and make a search

and go-to settings

 

 

 

zed browser
zed-proxy

Step 5 : select "Manual proxy configuration"

  • HTTP Proxy :127.0.0.1
  • Port: 8080
  • Select and active the Use this proxy server for all protocols option.
  • "No Proxy for " delete the addresses such as 127.0.0.1,localhost if you have any
  • Save the configurations
zap-proxy-2

Step 6 : Enter the IP Address which you want to do the scan .

I am running the odoo web application which is running on the IP Address 192.168.0.103:8069

Now lets explore the application for the zed to capture .By doing the manual exploration it will help the zed to crawl the site and not leaving any page behind.(manual spidering).

As we explore the application zed will capture the requests which you can see the sites with flag notion under "sites" menu.

test browser
zed exploting application

Step 7 : Now lets start the scan by right click on the IP address under sites menu.

  • Attack -->> Active Scan
zed -attack

Step 8 : Select the node or you change the module you want to scan.i will be selecting the entire site by selecting the IP address.

zed select context

You can see the request , response code  in the bottom section of ZAP tool.The progress bar helps you to find scan progress

click the (+) tab and select the Alerts menu (which will categorize the vulnerabilities of the application).

zed scan
acan alerts

Step 9 : Once the scan gets completed you can find the vulnerabilities found in the web application .

Alerts section will help you out finding the vulnerabilities.

zed scan result

Step 10 : To save scanning result lets go to report menu on the top.

and select "Generate HTML report " menu to generate the report for further use.

zed report menu
save_report

The report will look something like this,It holds the detailed description about the vulnerability,priority and severity.

 

Thank you guys for you support .

zed report

Posted by ashokkumar

Leave a Reply