Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Zed Attack Proxy Cookbook
Zed Attack Proxy Cookbook

Zed Attack Proxy Cookbook: Hacking tactics, techniques, and procedures for testing web applications and APIs

Arrow left icon
Profile Icon Ryan Soper Profile Icon Nestor Torres Profile Icon Ahmed Almoailu Profile Icon Nestor N Torres
Arrow right icon
$44.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (7 Ratings)
Paperback Mar 2023 284 pages 1st Edition
eBook
$9.99 $35.99
Paperback
$44.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Ryan Soper Profile Icon Nestor Torres Profile Icon Ahmed Almoailu Profile Icon Nestor N Torres
Arrow right icon
$44.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (7 Ratings)
Paperback Mar 2023 284 pages 1st Edition
eBook
$9.99 $35.99
Paperback
$44.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$9.99 $35.99
Paperback
$44.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Zed Attack Proxy Cookbook

Navigating the UI

In this chapter, you are going to learn the basics of the ZAP graphical user interface (GUI). This will give you a better understanding of how to navigate the GUI and where to find the configuration settings for use later in the upcoming chapters. We have divided the GUI into four major sections for ease of explaining how to navigate and use the GUI. Each segment will describe a section of the default ZAP GUI configuration.

In this chapter, we will cover the following recipes:

  • Persisting a session
  • Menu bar
  • Toolbar
  • The tree window
  • Workspace window
  • Information window
  • Footer
  • Encode/Decode/Hash dialog
  • Fuzzing with Fuzzer

Technical requirements

For this chapter, you will need to have OWASP ZAP Proxy installed on your computer. You will also need OWASP Juice Shop running on your machine, and you will want to be able to access Juice Shop for the recipes coming up in these chapters.

Persisting a session

In this recipe, we are going to go over how to set your ZAP Proxy session persisting. This is useful when you are working on an assessment over multiple days so you can close ZAP and you won’t lose any information.

Getting ready

To be able to go over this recipe, you will need to have ZAP installed on your computer.

How to do it…

Upon running the ZAP application from your host of choice, a dialog box will pop up asking whether you want to persist the ZAP session. In this dialog box, you will have multiple choices for how to persist the ZAP session and where to store those session files in a local database that can be retrieved later.

There are three options to choose from on how you wish to persist and a checkbox for remembering your choice. The following are your options:

  • Yes, I want to persist this session with name based on the current timestamp: This option saves the session file using the default filename and location.
  • Yes, I want to persist this session but I want to specify the name and location: This option allows you to rename the file and choose the location where the file will be stored.
  • No, I do not want to persist this session at this moment in time: When this option is selected, the file is not stored.
  • Remember my choice and do not ask me again.: This checkbox can be checked along with any of the three preceding options to make it the default choice.

Let’s see what it looks like visually in the following screenshot:

Figure 2.1 – Persisting the sessions

Figure 2.1 – Persisting the sessions

From here, we’ll move on to describing the top menu bar, as well as other menus contained within it, options, and the top-level toolbar that sits under the main menu bar.

How it works…

Persisting a session will allow you to save your work and quickly come back to what’s been captured and is in progress. Basically, this is how you save your work. There may be other times when testing is temporary and there is no need to persist. Other times, persisting may not be an option you want to do at first as capturing a web application will also start capturing out-of-scope content that isn’t saved to the Sites tree or Context.

Menu bar

The menu bar will help the user to understand general settings and navigate the tool to view, configure, and change settings.

Getting ready

To proceed with this recipe, you need to have ZAP installed and running.

How to do it…

The menu bar is located in the top-left corner of the ZAP application. It consists of the File, Edit, View, Analyse, Report, Tools, Import, Online, and Help menus. I will briefly explain the purpose of each menu section shown in Figure 2.2:

Figure 2.2 – The menu bar settings

Figure 2.2 – The menu bar settings

How it works…

We will look at each of the menus in the following list:

  • File: This menu is for managing the ZAP session. In this menu, you can start a session, continue a session, and more.
  • Edit: This menu allows searching requests and responses, finding text, setting Forced User Mode, and managing ZAP’s mode.
  • View: This menu provides display options and a method to manage the tabs.
  • Analyse: This menu contains an option to open Scan Policy Manager, where you can add, modify, import, export, or delete a scanning policy.
  • Report: This menu provides options to generate reports, export messages and responses, export URLs, and compare the current session with a previously saved or imported session.
  • Tools: This menu contains ZAP’s tools and options.
  • Import: This menu provides options to import different types of data files to ZAP.
  • Online: This menu contains ZAP online resources, including ZAP Marketplace, ZAP Frequently Asked Questions, and ZAP Videos.
  • Help: This menu provides resources about ZAP, such as Support Info, Check for Updates, and OWASP ZAP User Guide.

There’s more…

Many more features exist, such as shortcut keys, and can be leveraged to quickly navigate OWASP ZAP. Take advantage of these features to help you work in the tool.

Tip

On a Windows system, using the Alt key will activate a shortcut to the top menu. Once triggered, each option in the menu will have the capital letter underlined, which indicates the key to use in conjunction with Alt. For example, to open File, use Alt + F. To open Help, use Alt + H, and so on. You can then use the arrow keys to move around and the spacebar or Enter to select additional suboptions. On a macOS system, using the Command key will accomplish the same thing.

Toolbar

In this recipe, we are going to go over the ZAP Proxy toolbar and what each section of the toolbar does.

Getting ready

To review this recipe, you will need to have ZAP installed on your computer, and it should be started and running.

How to do it…

Looking at the toolbar from left to right, you will see the mode pulldown, as shown in Figure 2.3, which allows you to change modes in ZAP:

  • Safe Mode will prevent you from performing any dangerous actions against a target.
  • In Protected Mode, you will be able to perform dangerous actions against the application scope.
  • Standard Mode is the mode in which you can do anything you want with no restriction from the tool.
  • The last mode we have is ATTACK Mode. In this mode, you will start scanning for vulnerabilities with any new target added to the scope.
Figure 2.3 – The mode options on the top-level toolbar

Figure 2.3 – The mode options on the top-level toolbar

The next four icons in Figure 2.3 are options that allow you to save, modify, and edit session information from a target.

The last icon in Figure 2.3, the cogwheel, allows you, the user, to change the settings of all the sections of ZAP proxy. This can also be accessed by going to Tools then Options. We will go into more detail later in the next chapters when we start changing and optimizing each section as we perform attacks.

The next set of icons you find in Figure 2.4, from the top-level toolbar going left to right, allows you to change the ZAP proxy theme to eight different built-in templates:

Figure 2.4 – The middle of the top-level toolbar

Figure 2.4 – The middle of the top-level toolbar

The default setting is Flat Light, but you can switch to dark mode with Flat Dark, or use any other visual setting from the drop-down list, as shown in Figure 2.5. Keep in mind, any changes to the way that ZAP proxy looks may alter the locations of other settings within the tool. For this book, we are going to use the default settings throughout:

Figure 2.5 – Choosing a theme

Figure 2.5 – Choosing a theme

As we continue, the next set of icons in the toolbar allows you to view all tabs (tab and lightbulb icon), hide unpinned tabs (tab with red X icon), and show tab icons and hide tab names (tab with a green square and the letter T).

Moving on to the right, the last seven icons allow you to change the ZAP proxy window layout, and they also allow you to expand either the Sites tree window, the Information window, or the Workspace window. For this book, we will be using the default configuration that expands the Information window along the bottom half of ZAP and keeps the Workspace window:

Figure 2.6 – The window layout

Figure 2.6 – The window layout

In the last section of the top-level toolbar (Figure 2.7), you will see the following:

  • Settings (from left to right) that allow you to manage add-on plugins (red/blue/green blocks)
  • Check for plugin updates (lightning bolt with blue arrow)
  • Show/enable fields (lightbulb)
  • Set and customize breakpoints (green/red circle, line/arrow, right arrow, stop sign and red X)
  • Scan Policy Manager (control board)
  • Apply forced user mode (padlock)
  • Enable zest scripting (cassette tape)
  • Open the user guide (blue question mark)
  • Disable/enable the HUD (green radar)
  • Use a preconfigured browser to proxy sites (Firefox logo)
  • Report building (spiral notebook)

Each of these will be discussed in further detail in later chapters.

Figure 2.7 – The last section of the top-level toolbar

Figure 2.7 – The last section of the top-level toolbar

How it works…

The toolbar features the most common tools used in OWASP ZAP and is intended to help users with setting up and getting comfortable, accommodating different user preferences for testing with the tool. Spend time here getting to know and understand the options available to you.

See also

Open the Help menu and navigate to the OWASP ZAP user guide for more information.

Shortcut

Use F1 to quickly open the information guide.

The tree window

In this recipe, we are going to go over the ZAP Proxy tree window and what each section of the tree window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer. It should also be started and running.

How to do it…

In the Sites tree window, ZAP displays the sites that you have accessed and can be tested. ZAP can only attack the sites that are displayed. The sites tree window consists of two tabs: the Sites tab and the Scripts tab (shown once the + sign is selected):

Figure 2.8 – Sites tree

Figure 2.8 – Sites tree

The Sites tab

The Sites tab is where the sites being tested will be displayed. It contains two trees: the Contexts tree and the Sites tree.

The Sites tree is where the tested sites will be listed. ZAP can only attack the sites that are in the sites tree. A unique node will be displayed for sites based on the HTTP request method and the parameter name being used.

In the Contexts tree, you can group URLs together. The best practice is to have a context for each application being tested:

Figure 2.9 – Sites tree

Figure 2.9 – Sites tree

There are also four options that can be used:

  • Red target: Displays only the sites that are in scope
  • Window with green plus sign: Creates a new context
  • Window with white arrow on the left: Imports context
  • Window with white arrow on the right: Exports context

The Scripts tab

Once you click on the + icon (Figure 2.10), a new menu pops open allowing you to select the Scripts tab.

Figure 2.10 – The plus icon

Figure 2.10 – The plus icon

The Scripts tab opens a tree menu with two other optional tabs. The first tab is the Scripts tab, which shows you the scripts that you already have in ZAP, organized by the type of script. The second tab is the Templates tab tree, which contains the templates that can be used to create scripts.

Figure 2.11 – The Scripts tab

Figure 2.11 – The Scripts tab

In addition to the Scripts and Templates tabs, there are three options in the Scripts tree tab:

  • File folder: Used to load scripts from the local file storage
  • Floppy disc: Used to save a script to the local file storage
  • Scroll with +: Used to create a new script

Another prominent feature of ZAP is the Workspace window. In the next recipe, we’ll look deeper into these options.

How it works…

The entire purpose of the tree window is to help testers know what web applications have been captured, in scope or out of scope, and to quickly view the varying paths discovered during enumeration phases or fuzzing directories. It’s important here to start setting your Sites into Contexts for work later so testing is specific to your scope, as well as cutting back on some of the noise that is generated with websites connecting to other resources.

Workspace window

In this recipe, we are going to go over the ZAP Proxy workspace window and what each section of the workspace window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also should have it started and running.

How to do it…

In the workspace section of ZAP proxy, you will be able to view requests and responses as well as start scans. The numbers in the following points correspond with the labels in Figure 2.12:

  • Quick Start (1): Quick Start shows you a window that allows you to choose whether to start an automated scan or use the manual explorer
  • Request and Response tabs (2 and 3): The Request and Response tabs allow you to view the requests and responses from your site sections
  • Break (4): The Break tab allows you to change a request and response stop by ZAP breakpoint
  • Script Console (5): The Script Console tab opens a window that allows you to modify a newly created script
  • Automated Scan (6): The Automated Scan option allows you to start an automated scan on a target
  • Manual Explore (7): The Manual Explore option allows you to launch a browser window with a target that has all the settings set up to proxy a target through ZAP
  • Learn More (8): The Learn More option gives you details about ZAP and provides links that require the internet to get more detailed information
Figure 2.12 – The Workspace window

Figure 2.12 – The Workspace window

How it works…

This window kicks off the entire project and is the main feature presented in OWASP ZAP for testing. Unlike other machine-in-the-middle proxying tools, the assessment is captured using this window, whether automated or manually. The content gets populated from here into the information window. We’ll discuss, in the upcoming section, what information this window contains, other tabs or add-ons, and how these can be configured.

Information window

In this recipe, we are going to go over the ZAP Proxy information window and what each section of the information window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also have it started and running.

How to do it…

The information window contains data about the application being tested. It consists of the History, Search, Alerts, and Output tabs, and other ZAP tools can be added as a tab by using the + icon. The following is a screenshot of the information window:

Figure 2.13 – The information window

Figure 2.13 – The information window

The History tab

In this tab, ZAP displays all the requests that have been made, starting with the first request. This tab contains four options that can be selected, as shown in Figure 2.13:

  • Bullseye (1): The target icon, when selected, shows only the URLs that are in scope.
  • Globe icon (2): The globe icon is for Sites selection. This shows only the URLs that are contained in the Sites of the Tree Window. You can only select one or the other for Scope versus Sites.
  • Funnel icon (3): This allows you to filter requests based on HTTP verb method, HTTP verb code, Tags, Alerts, and/or URL Regex.
  • Export with green arrow (4): This allows you to save the history in CSV format to your host directory of choice.

The Search tab

In this tab, ZAP provides a search mechanism where you can search for regular expressions across all the data or only in URLs, requests, responses, headers, or HTTP fuzz results of the data. The Search tab has eight options. Figure 2.14 showcases the Search tab:

Figure 2.14 – The information window Search tab

Figure 2.14 – The information window Search tab

The icon highlighted in the following screenshot it for searching through only the URLs that are in scope (Contexts – see Figure 2.10). In order to use this feature, a URL in Sites must be added to Contexts first. Once selected, the target icon will light up red versus being grayed out:

Figure 2.15 – The Contexts button

Figure 2.15 – The Contexts button

Scrolling right, the next field that is highlighted in red is the search box input field. This is used to search for content using regular expressions:

Figure 2.16 – The search input field

Figure 2.16 – The search input field

Search parameters are based on specific fields and the choices are displayed in a drop-down menu. In this drop-down menu, you can select whether you would like to search, using regular expressions, all the data or just URLs, requests, responses, headers, or HTTP fuzz results:

Figure 2.17 – The Search drop-down menu

Figure 2.17 – The Search drop-down menu

Next is the Inverse checkbox. When checked, as displayed in Figure 2.18, ZAP will then search for anything that does not contain the regular expression you are searching for:

Figure 2.18 – The Inverse checkbox

Figure 2.18 – The Inverse checkbox

After entering your text using a regular expression, you need to click the Search button with the magnifying glass. When clicked, the search for the regular expression starts. As an alternative, you can also press the Return or Enter key, depending on your keyboard, to start the search:

Figure 2.19 – The Search button

Figure 2.19 – The Search button

Once the search has been completed, you can use the Next or Previous buttons to move the selection to the next or previous item in the search result:

Figure 2.20 – The Next and Previous buttons

Figure 2.20 – The Next and Previous buttons

There is also a field in the Search tab that gives information about the search results. This will show the number of matches, as the name explains, for how many findings matched the searched regular expression:

Figure 2.21 – The Number of matches indicator

Figure 2.21 – The Number of matches indicator

Last, there is an Export button. When clicked, the user will be able to export the search results and save them as a CSV file into the local file storage:

Figure 2.22 – The Export button

Figure 2.22 – The Export button

The Alerts tab

The Alerts tab is separated into two panes, as shown in Figure 2.23. The left-hand pane contains the alerts found by ZAP, and once an alert is selected, the right-hand pane will then show the alert information, as seen in Figure 2.23. The left pane shows all the alerts or issues found during spidering, active or passive scan, and displays each in a tree view format. The alerts are also ranked by severity, starting with highs and moving downward to informational. The Alerts tab also comes with four options that can be selected.

Figure 2.23 – Alerts tab

Figure 2.23 – Alerts tab

The following, corresponding to Figure 2.23, is an explanation of these options:

  • Contexts (1): Used to show alerts from only URLs in scope.
  • Globe (2): Only select alerts from sites contained in the Sites tree window.
  • Pencil (3): Allows a user to edit the attributes of an alert.
  • Broom with color (4): Delete all alerts button. When clicked, this will display a warning to the user asking them to confirm whether this action is OK or to cancel it. Click OK to remove every alert or Cancel to go back.

The plus (+) symbol

The plus icon can be used to add additional tabs to the information window. The tabs are ZAP tools. The tabs that can be added are AJAX Spider, Active Scan, Automation, Breakpoints, Forced Browse, Fuzzer, HTTP Sessions, OAST, Output, Params, Progress, Spider, WebSockets, and Zest Results. Figure 2.24 shows all these options and a description of each follows:

Figure 2.24 – The options of the plug symbol

Figure 2.24 – The options of the plug symbol

The following are explanations of these options:

  • AJAX Spider: This is used to efficiently and effectively crawl Ajax-based web applications. It creates a proxy for ZAP to talk to Crawljax, which is an open source event-driven dynamic crawling tool. It is recommended to use both the native Spider tool and Ajax Spider when testing an Ajax-based web application.
  • Active Scan: This has options to start new scans and see the progress of existing scans. Furthermore, it shows the data of various scans.
  • Automation: This allows you to create scripts for automated testing.
  • Breakpoints: This manages all the breakpoints set in the current session.
  • Forced Browse: In this tab, ZAP allows you to use forced browsing to find directories and files.
  • Fuzzer: In Fuzzer, there are options to start new fuzzing tests and see information about a fuzz test that has already started.
  • HTTP Sessions: In this tab, ZAP displays the HTTP sessions for the selected site.
  • OAST: In this tab, ZAP displays out-of-band messages found.
  • Output: In this tab, ZAP will display error messages found on the application. These errors can be used to report a bug to the ZAP team.
  • Params: In this tab, ZAP displays the parameters and response header fields of a site.
  • Progress: In this tab, ZAP displays the completed or in-progress scanning rules for each host and details for each scanning rule.
  • Spider: The Spider tool is ZAP’s native crawler. In this tab, ZAP displays the unique URIs discovered by the Spider tool during the scan. This tab contains three tabs. The first tab displays the URIs discovered, the second tab displays any added nodes, and the third tab displays any Spider messages.
  • WebSockets: The tab shows all messages from WebSockets connections.
  • Zest Results: This tab will display the result of Zest scans.

How it works…

The Information window is the bread and butter of outcomes from your initial spidering, active or passive scans, fuzzing, or any other add-ons used. This section is where you will want to start paying attention to forming more specific manual attacks and testing the web applications in scope.

There’s more…

There’s a lot of good information to help a tester create good written penetration testing reports by offering references to the OWASP Top 10 or other documents from vendors. This information can be found in the Alerts tab and changes when selecting a specific vulnerability.

Footer

In this recipe, we are going to go over the ZAP Proxy footer section and what each section does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and you also need to have it started and running.

How to do it…

In the footer of ZAP proxy, you have three sections: Alerts, proxy status, and scan status. The Alerts section, as seen in Figure 2.25, gives you a quick view of any findings ZAP might have located on the application being tested.

Figure 2.25 – Alerts

Figure 2.25 – Alerts

Then, we have proxy status, which shows what IP address and port the ZAP proxy is running on:

Figure 2.26 – The Proxy information

Figure 2.26 – The Proxy information

Lastly, we have a current scan status section, which shows what scan is currently running and what ZAP proxy is doing at any point of the scan process.

Figure 2.27 – The Current Scan Activity count

Figure 2.27 – The Current Scan Activity count

How it works…

The footer helps to track quick metrics on scanning and alerting data and is a quick way to ensure your established connection hasn’t changed. Consider highlighting this data when building executive reports, if some statistics are needed for a monthly key performance indicator (KPI) report, or even to help track data for vulnerability management.

In the next couple of recipes, we’ll discuss the Encode/Decode/Hash dialog and Fuzzer. We decided to go over these as many users of another prominent proxying tool are used to using these tabs, which are contained in ZAP in a different way. In order for you to carry out the attacks, we will discuss these in depth next.

Encode/Decode/Hash dialog

In this recipe, we are going to go over how to perform encoding and decoding and hashing in ZAP Proxy.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also have it started and running.

How to do it…

Encoding is the process of converting data from one form to another, whereas decoding is reversing this conversion. ZAP comes built with a feature to aid its users with a quick way to convert and divert data. In addition to this process, and contained within the same setting, is a feature that creates simple hashes of that data. To get started, select from the menu bar at the top tools, then a little over halfway down, select Encode/Decode/Hash.

Tip

For a shortcut hotkey, on a Windows system, press Ctrl + E. On a macOS system, press Command + E.

When the editor opens, the first thing to note is the input field, which you use to enter the text you wish to encode, decode, and hash, determine illegal UTF-8 bytes, or convert to Unicode. Once you enter the desired text, all the fields will automatically be converted for you.

Next, there is a toolbar that offers a few options. These are as follows:

  • Add new tab: Adds a new tab
  • Delete selected tab: Removes the currently selected tab
  • Add output panel: Adds an output panel to the current tab
  • Reset: Resets all the tabs to their default state
Figure 2.28 – The Encode/Decode/Hash dialog box

Figure 2.28 – The Encode/Decode/Hash dialog box

As indicated in the Script drop-down menu in the output panel in Figure 2.29, a user can add new fields for comparing data.

Figure 2.29 – The output panel

Figure 2.29 – The output panel

With your encoded or hashed script, we’ll move on to fuzzing and how to configure different options for optimizing your approach to web application penetration testing.

How it works…

Using this tool can quickly change operational use with wordlists used in fuzzing applications with attack vectors such as cross-site scripting, SQL injection, and so on. The ability to quickly get a list of different values can help in bypassing poorly implemented validation or encoding in web applications.

See also

For a tool with robust operations for encoding, decoding, and hashing strings, check out CyberChef: https://gchq.github.io/CyberChef/.

Fuzzing with Fuzzer

In this recipe, we are going to go over how to use the Fuzzer in ZAP Proxy and walk through how attackers use tools such as ZAP to brute force a password or attempt to gain access via trial and error using dictionary words in hopes of logging in to an application.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer and also have it started and running. You will also need to run Juice Shop as shown in Chapter 1.

How to do it…

For the unaware, fuzzing is a term referring to a technique/automated process that submits a multitude of invalid or unexpected data points to a target to analyze the results for potentially exploitable bugs. The idea is to fuzz any input using built-in sets of payloads, any optional add-ons, or via custom scripts. In ZAP, this can be achieved in a few ways:

  • Click the green + in the information window after the other add-ons (Alerts, Spider, and so on)
  • Right-click a request in one of the tabs (Sites, History, and so on) and select Attack / Fuzz…
  • Highlight a string in the headers or body of a request tab, right-click, and then select Fuzz…
  • Select Tools / Fuzz… in the menu bar and select the request to fuzz

Tip

The shortcut hotkey is Ctrl + Alt + F.

To get started, once you’re on the information window of the Fuzzer add-on, click New Fuzzer to bring up any currently captured sites (see Figure 2.30) and their requests that come from a Spider scan:

Figure 2.30 – The Fuzzer Select Message window

Figure 2.30 – The Fuzzer Select Message window

Once a request is selected, a new dialog window opens. In this window, you have several tabs to configure the fuzz. We’ll break each down in the following sections.

The Fuzz Locations tab

This is the main tab where you highlight the string of choice to begin fuzzing. To understand the windows you’re looking at, note that the top-left side of the dialog box showcases the header text, while the bottom left shows the body text. The right side of the screen shows the fuzz locations from what was added to the selected string(s) in the header. This location will be noted along with the number of payloads and processors. Furthermore, above the headers, you have a couple of dropdowns for the header and body text, as well as changing how you view the left dialog boxes, and an Edit feature. Edit allows you to modify the text within the header.

Important note

Editing the header string will automatically remove all the fuzzers you added.

To get started, highlight the specific area of the string, and click Add… on the right-hand side. This will open a new Payloads dialog box, and you will want to select Add… again to open another dialog box to select the type. The Type field has the Empty/Null, File (where you’d be adding a file from your host system directory), File Fuzzers (which consists of various payloads, that is, buffer overflow cramming, XSS exploits, director lists, and so on), Json (for JSON inputs), Numberzz (from 0 to 10 in increments of 2), Regex (with a number of payloads), Script, and Strings options:

Figure 2.31 – Payloads | Add Payload

Figure 2.31 – Payloads | Add Payload

Another feature within Payloads is Processors, as you can see in Figure 2.32. This allows you to change and process the current payload into a different type, such as converting it into Base64-encoded format. You can add several types, then select Add… and OK. This is a way to encode, decode, and hash the fuzzing payload prior to starting the fuzzer.

In addition, processors can be applied to either a specific fuzzing payload (outlined in red) or to the entirety of the string selected (outlined in blue) shown in Figure 2.32. There’s also a counter to show how many processors have been applied:

Figure 2.32 – Processors

Figure 2.32 – Processors

Once a processor type has been selected, click Add at the bottom of the dialog box, then click OK. This will add the payloads to Fuzz Locations, as seen in Figure 2.32. Once you have everything entered as desired, select Start Fuzzer in the bottom-right corner. Once fuzzing is complete, the information window will display the results:

Figure 2.33 – Add Processor

Figure 2.33 – Add Processor

From left to right, in Figure 2.34, the results that appear in the information window will showcase the task number, message type, HTTP status (Code), a reason, such as Forbidden or Bad Request, the round trip time (RTT), the size of the response header/response body, the highest alert, the state, and the payloads used. In addition, the results can be exported to a CSV spreadsheet. Last to note is the Progress drop-down menu. This keeps track of every fuzzed string and allows you to switch between the results.

Figure 2.34 – The Fuzzer Information window

Figure 2.34 – The Fuzzer Information window

The Options tab

When starting a new fuzzer, you’ll have an Options tab (Figure 2.35). This tab lets you configure more options for the fuzzer:

Figure 2.35 – Fuzzer Options

Figure 2.35 – Fuzzer Options

These options are as follows:

  • Retries on IO Error: Determines how many retries the fuzzer will do when input/output errors occur.
  • Max. Errors Allowed: This will stop the fuzzer if the number of errors reaches this number.
  • Payload Replacement Strategy: Controls the order for multiple payloads lists repeated. The two options are as follows:
    • Depth First
    • Breadth First
  • Concurrent Scanning Threads per Scan: The number of threads a scan will conduct simultaneously. Increasing this number will speed up the scan but may stress the computer that ZAP is running on or the target.
  • Delay when Fuzzing (in milliseconds): Creates a delay between requests to the target, which helps avoid being blocked or if the target has restrictions against too many requests.
  • Follow Redirects: Will continue fuzzing by following the next request.

The Message Processors tab

The last tab, as shown in Figure 2.36, is the HTTP Message Processors tab, which can access and change the messages being fuzzed, control the process, and interact with the ZAP GUI:

Figure 2.36 – Fuzzer Message Processors

Figure 2.36 – Fuzzer Message Processors

Here are the types of message processors to know about. Keep in mind, a few of these will not work or be available, depending on the type of response seen or whether scripts are already built:

  • Anti-CSRF Token Refresher: Allows a refresh of anti-CSRF tokens in a request but must be detected by ZAP to be used in this processor. Automatically added if an anti-CSRF token is detected.
  • Fuzzer HTTP Processor (Script): Allows you to select enabled scripts if scripts have been added to ZAP.
  • Payload Reflection Detector: This feature will let you know if a payload was found and uses a symbol (yellow sun icon) with the word Reflected to indicate this as well. This process is automatically added.
  • Request Content-Length Updater: Updates or adds the content-length request header with the length of the body. This process is automatically added.
  • Tag Creator: Adds custom tags based on content in the response to the state column in the results.
  • User Message Processor: Fuzz a user. Users must exist to be able to select and add this processor.

Congratulations! You are now armed with an in-depth understanding of all the features, layouts, tabs, trees, and options of ZAP.

How it works…

The processors are ways to add more customization to fuzzing and increase the depth and obfuscation, or help bypass those pesky web application firewalls (WAFs) for an assessment against your target.

There’s more…

Using operating systems such as Kali or Parrot will come with wordlists already installed, and for other ways to generate wordlists, utilize tools such as CeWL, which scrapes words from a targeted web application, or John the Ripper, which comes with options for customizing wordlists.

See also

Check out the GitHub pages for great sources for obtaining already-built wordlists to quickly add to ZAP when it comes to fuzzing.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Master ZAP to protect your systems from different cyber attacks
  • Learn cybersecurity best practices using this step-by-step guide packed with practical examples
  • Implement advanced testing techniques, such as XXE attacks and Java deserialization, on web applications

Description

Maintaining your cybersecurity posture in the ever-changing, fast-paced security landscape requires constant attention and advancements. This book will help you safeguard your organization using the free and open source OWASP Zed Attack Proxy (ZAP) tool, which allows you to test for vulnerabilities and exploits with the same functionality as a licensed tool. Zed Attack Proxy Cookbook contains a vast array of practical recipes to help you set up, configure, and use ZAP to protect your vital systems from various adversaries. If you're interested in cybersecurity or working as a cybersecurity professional, this book will help you master ZAP. You’ll start with an overview of ZAP and understand how to set up a basic lab environment for hands-on activities over the course of the book. As you progress, you'll go through a myriad of step-by-step recipes detailing various types of exploits and vulnerabilities in web applications, along with advanced techniques such as Java deserialization. By the end of this ZAP book, you’ll be able to install and deploy ZAP, conduct basic to advanced web application penetration attacks, use the tool for API testing, deploy an integrated BOAST server, and build ZAP into a continuous integration and continuous delivery (CI/CD) pipeline.

Who is this book for?

This book is for cybersecurity professionals, ethical hackers, application security engineers, DevSecOps engineers, students interested in web security, cybersecurity enthusiasts, and anyone from the open source cybersecurity community looking to gain expertise in ZAP. Familiarity with basic cybersecurity concepts will be helpful to get the most out of this book.

What you will learn

  • Install ZAP on different operating systems or environments
  • Explore how to crawl, passively scan, and actively scan web apps
  • Discover authentication and authorization exploits
  • Conduct client-side testing by examining business logic flaws
  • Use the BOAST server to conduct out-of-band attacks
  • Understand the integration of ZAP into the final stages of a CI/CD pipeline
Estimated delivery fee Deliver to United States

Economy delivery 10 - 13 business days

Free $6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Mar 10, 2023
Length: 284 pages
Edition : 1st
Language : English
ISBN-13 : 9781801817332
Category :
Languages :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to United States

Economy delivery 10 - 13 business days

Free $6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Publication date : Mar 10, 2023
Length: 284 pages
Edition : 1st
Language : English
ISBN-13 : 9781801817332
Category :
Languages :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 144.97
Practical Threat Detection Engineering
$59.99
Attacking and Exploiting Modern Web Applications
$39.99
Zed Attack Proxy Cookbook
$44.99
Total $ 144.97 Stars icon
Banner background image

Table of Contents

13 Chapters
Chapter 1: Getting Started with OWASP Zed Attack Proxy Chevron down icon Chevron up icon
Chapter 2: Navigating the UI Chevron down icon Chevron up icon
Chapter 3: Configuring, Crawling, Scanning, and Reporting Chevron down icon Chevron up icon
Chapter 4: Authentication and Authorization Testing Chevron down icon Chevron up icon
Chapter 5: Testing of Session Management Chevron down icon Chevron up icon
Chapter 6: Validating (Data) Inputs – Part 1 Chevron down icon Chevron up icon
Chapter 7: Validating (Data) Inputs – Part 2 Chevron down icon Chevron up icon
Chapter 8: Business Logic Testing Chevron down icon Chevron up icon
Chapter 9: Client-Side Testing Chevron down icon Chevron up icon
Chapter 10: Advanced Attack Techniques Chevron down icon Chevron up icon
Chapter 11: Advanced Adventures with ZAP Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7
(7 Ratings)
5 star 71.4%
4 star 28.6%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Yana May 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I recently had the opportunity to delve into the book "Zed Attack Proxy" and I must say, it's an absolute treasure trove of valuable information. The author's approach to discussing the Zap Proxy Tool is commendable, as they present the content in a clear and concise manner, making it easy for readers to follow along. The book strikes a perfect balance between theory, strategy, and practical tactics, ensuring that both penetration testers and red teamers seeking to perform web application pentesting can benefit from its insights.One of the standout aspects of this book is the author's ability to convey complex ideas in an accessible manner. Despite the highly informative content, the book remains engaging throughout, catering to both seasoned professionals and beginners in the field. Regardless of your level of expertise, you'll find the content easy to understand and apply.Furthermore, the book's emphasis on balancing theory and strategy with practical approaches is truly noteworthy. The tactical approaches discussed in the book are highly valuable for professionals looking to enhance their offensive and defensive security capabilities. The author's expertise shines through, offering readers a wealth of knowledge and techniques to explore.In conclusion, "Zed Attack Proxy" is a remarkable resource for anyone interested in Proxy Tools or cybersecurity. It's filled with tons of good information, presented in a well-structured and accessible format. Whether you are a pentester or red teamer, this book will serve as an essential reference and guide. I highly recommend it to anyone seeking to gain a deeper understanding of Proxy Tools and their implications for the future of cybersecurity.
Amazon Verified review Amazon
Jake Woodhams May 24, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book does a great job at explaining the capabilities of ZAP in-depth while also providing instructions which are easy to follow and friendly to beginners.The book acts as a learning platform by teaching the reader how to perform common tests which can be applied to all web app security testing. This is accomplished by teaching the user how to apply ZAP to web application training resources such as JuiceShop and Portswigger Academy. On the other hand, the book contains detailed instructions on how to operate ZAP and use it more effectively, making it a great resource for both experience and inexperienced testers.If you are looking to begin your journey into web application security testing or want to learn how to use ZAP more effectively, this book is for you.
Amazon Verified review Amazon
Brandon Lachterman May 30, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I am a security professional who uses these tools all the time, and I have to say I consider this one of the finer titles ive experienced. The chapters are concise, simple to understand for beginners, and has plenty for advanced users as well, which is rare to have the best of both worlds.ZAP is such an underrated tool in my opinion, and really gives you a major advantage in your security testing and research. It also is free, which is a huge plus for those just starting out in the field. I find it to be a relief that there is a guide this well written out there, and ill definitely be using this as the teaching guide for all I work with.TL:DR If you are looking to do security research or testing, please check out this fantastic guide on ZAP.
Amazon Verified review Amazon
Joseph M. Rivera May 16, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book was a fantastic overview of OWASP ZAP. The use of well-known and easily-accessible labs makes it easy for a novice to jump in and learn more about the tool. This provides a good alternative to the Portswigger Academy walkthroughs, most of which, understandably, focus on Burp Suite for solutions. Unlike Burp Suite, however, ZAP is free, open-source, and highly extensible.If you are new to Application Security: This book will provide you with a solid foundation of some basics for with an open-source tool with which you can practice at your own pace. After reading this book, following the labs, and reading the authors' thoughts and reflections, you should be well situated for web-based CTF challenges.If you are new to ZAP only: This book will provide a no-nonsense approach to ZAP's basic functionality and where to find further functionalities. It provides a quick way to transition to a free and open-source app, as opposed to a paid one. This knowledge will help you to further develop your skillset and your craft. After reading this, you should be well-equipped to jump right into ZAP's extensions: using, modifying, and writing your own.Highly recommended.
Amazon Verified review Amazon
Ariel Ferdinand Jun 08, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is written with such an amazing flow, it provides the knowledge you need to begin and then continually builds on that throughout the chapters. Having not used ZAP in many years, it helped as a refresher for me, but also provided advanced level information that truly makes the authors of the book best in class. The topics that are covered are those that you will see in the security industry on a daily basis.Whether you are starting out with ZAP for the first time or you are a veteran, these pages can provide you with exactly what you are looking for. I am glad to have a copy handy whenever I may need it.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela