OWASP ZAP

In this article, we are going to take a look at OWASP ZAP tool. It is one of the most underrated tools for web-app penetration testing, which is being completely ignored due to Burp Suite’s popularity. ZAP, on its side, is a fully free and multi-functional tool with lots of features like Burp and much more.

For this time we are going to set up a small vulnerable flask app in order to train some essential ZAP skills and see how it can automatically detect vulnerabilities.

Let’s set our small lab.
Head over to pythonanywhere.com and create a flask web app with python3. Now go ahead and open up flask_app.py and replace the code with this:

from flask import Flask, request, render_template_string, render_template

app = Flask(__name__)

@app.route('/template-injection')
def hello_ssti():
	person = {'name':"world", 'secret':"password=12345a"}
	if request.args.get('name'):
		person['name'] = request.args.get('name')
	template = '''<h2>Hello %s!</h2>''' % person['name']
	return render_template_string(template, person=person)

####
# Private function if the user has local files.
###
def get_user_file(f_name):
	with open(f_name) as f:
		return f.readlines()

app.jinja_env.globals['get_user_file'] = get_user_file # Allows for use in Jinja2 templates

if __name__ == "__main__":
	app.run(debug=True)

As you can see here, we create a directory called /template-injection which takes a parameter name. It should technically return us output provided after the ?name= parameter, but due to its vulnerability towards template injection, we can actually retrieve more than that. For example, a variable secret which holds the password or even carry out a reflected XSS attack.

After saving the file and reloading the webapp, we should see a Hello World! message at {username}.pythonanywhere.com/template-injection.

Open up ZAP tool and head over to Tools -> Options -> Local Proxy
Set up your settings like so:

Now, configure your browser to run all traffic through 127.0.0.1:8080 proxy and navigate to {username}.pythonanywhere.com/template-injection once again. It should appear on the left side:

Right click-on the folder and choose ‘Spider’ in the attack tab:

You can now scroll through different links ZAP has found and see if there was anything valuable for us. Unfortunately, there isn’t anything that fits us.
Now, let’s include the name= parameter we were talking about before and do some active analysis.

{username}.pythonanywhere.com/template-injection?name=fox

From the screenshot above we can see that ZAP automatically picks up on the parameter. Now, right-click on the highlighted request and choose ‘Active Scan’ from Attack tab.

As you see on the bottom of the application, ZAP starts automatically attacking the application and checking it for possible vulnerabilities.

ZAP was able to identify reflected XSS vulnerability. It even gave us an attack payload which we can use to reproduce it. Putting <script>alert(1);</script> in the name field will produce an alert message, indicating that ZAP was absolutely right!

Various plugins and add-ons can increase ZAP’s abilities even further and make it an ultimately must-have tool for web penetration testing!