In this section, we will run through detailed instructions on installing ZAP on Windows and macOS and using the cross-platform package on both Windows and macOS. We will also cover ZAP requirements, installing Java, configuring the browser, and installing the certificate. In addition, we will cover installing and setting up Docker, setting up the testing environments, and testing to make sure everything is working as expected.

Getting ready

In order to proceed with this recipe, you need to ensure that you have administrator privileges on your laptop, desktop, or whichever environment is being used that has sufficient hard drive space and RAM for operating ZAP.

How to do it...

The first step, with any tool, is downloading the application. This requires several other applications to correctly run and use. In this recipe, you will learn the best approach for running ZAP on any common operating system and how to install Java.

Installing Java

Take the following...

In this section, you will set up the testing environment you will use in each chapter of this book. We will go through the process of setting up OWASP Juice Shop and signing up for PortSwigger Academy.

Getting ready

To prepare, we recommend using a common browser such as Google Chrome or Mozilla Firefox. In addition, ensure you have root or administrator permissions to run a terminal (Linux or macOS) or command prompt (Windows).

How to do it...

The upcoming recipes will aid you in preparing the testing/lab environment that will be used throughout the recipes used in this book. These are commonly used labs, and are easy to sign up for or install and are free to use.

OWASP Juice Shop setup

OWASP Juice Shop is an open source, insecure web application used for training and learning various types of attacks. OWASP Juice Shop includes OWASP’s top ten vulnerabilities as well as flaws found in the real world. You can find more information...

In this section, we will cover how to configure ZAP to run with your browser as well as how to set up a ZAP CA certificate to proxy HTTPS connections. Also, we are going to use the browser extension, FoxyProxy, which provides an easy way to change proxy configurations and switch between multiple proxies or disable a direct connection. ZAP proxy allows you to capture all the requests made by your browser, then modify or edit those requests to find vulnerabilities in the web app you will be testing.

Getting ready

To proceed with this recipe, you need to have a basic understanding of navigating internet settings or browser network configuration. In addition, you need to understand how to navigate the browser marketplace to install extensions.

How to do it...

FoxyProxy allows you to easily change the proxy configuration of browsers that do not have a simple setting to change proxy settings. You will need to take the following steps...

This recipe will help troubleshoot the connection to ZAP and verify that each step has been set up correctly.

Getting ready

In order to proceed with this recipe, you need to reboot your computer to ensure the installation process is complete and the tool is working properly.

How to do it...

To ensure that ZAP has been set up correctly, follow these steps:

1. On the Chrome browser, start ZAP, open the Extensions menu, and double click the Use proxy 127.0.0.1:8080 for all URLs option, as shown in the following screenshot:

Figure 1.30 – Choosing the created proxy

2. Navigate to google.com. The first time you use ZAP after setting up the proxy and installing the certificate, you will see the Welcome to the Zap HUD message and/or the options to the right and left of the browser window, as shown in the following screenshot:

Figure 1.31 – ZAP HUD

How it works...

Setting...