Time
9 minutes
Difficulty
Intermediate

Video Transcription

00:06
Hello and welcome to another episode of breaking stuff with Robert
00:11
today. We're going over a lost zap. Now I'm going to give you a high level overview of some of the functions within a lost zap and some of its capabilities and give you a quick demo of how it can be used on how quickly you can get started with scanning that you're, well, applications. Some good things about zap
00:30
is you know that it does some automated scanning and passive scanning with respect to how it works. Now, what that means is that if you want to actively use some attack types against the site, you can do so You always want to make sure that you have permission to do so
00:45
and then passive scanning for this particular, um,
00:49
application is interesting and that by default it scans all http messages, meaning that it doesn't change requests. It doesn't respond in any way. So if you're generally just browsing through a side, are looking at a site is going to collect that data, evaluate it
01:04
and in the background provides you with some contextual information. If it finds those responses to be particularly vulnerable to something
01:12
now targeted audiences for this tool system administrators wanting to test Web pages for vulnerabilities. But application developers looking to test their applications for vulnerabilities and penetration testers looking to identify weaknesses and, well, applications.
01:27
This tool is great. If you're just getting started with security testing or if you're an advanced penetration tester Web application developer, whatever the case may be, it has a place
01:38
in that life cycle with you
01:41
now. Ah, while not a requirement to view this information, fundamental knowledge of one application attacks would be beneficial and fundamental knowledge of love application attack terminology. So attack types and terminology. There again, we're not going to get into the nitty gritty of every term. And Tab, etcetera,
01:59
S o. You know, it would be good to understand at a high level what we're looking at and what we're doing.
02:04
So with that in mind, let's go ahead and jump into our demo.
02:09
All right, everybody welcome. So before we get started, full disclosure here, I updated a lost to the current version 2.8 because it's got some functions and features that I kind of like and when I had to reinstall to the current role in distribution of Cali.
02:30
It actually runs 2.7, which doesn't have some of these functions.
02:34
So I actually went to the lost sight and downloaded, um, the installer for this
02:39
and ran it and it actually, even through the terminal, I have toe actually go in and start this up. But that's just kind of full disclosure here. So if you see something that's different than what you're looking at, that's the reason why.
02:53
So the reason I wanted to to do that is one. When you first get started, it makes it lost a lot easier to jump into. So again, this is a Web application, vulnerability scanner and pen testing tool. Whether you're a beginner or you know you're an advanced penetration tester,
03:08
this tool just has a number of things with respect to passive and active scanning, as well as other functions such as Web sockets and some buzzing
03:16
type functions that it can do as well. But that's just scratching the surface again. This is a high level overview of the tools, so we're not going to get super deep,
03:24
but I do want to show you around now is a part of this demonstration. I did set up this little website here using medicine avoidable again. Since this has some active scanning capabilities, you just want to make sure that if you're going to use the tool on someone's sight that you have their permission to do so
03:44
So this jump in, we're gonna do an automated skin,
03:46
and I'm just gonna copy and paste my earl information in here.
03:52
We'll take that off the end
03:53
and then we'll just tell it to attack.
03:57
Now,
03:58
if you're like me, I can be a little scattered when it comes to all the different things that it puts up here. But looking from left to right, history gives you some information on, like the sequence of events and the things you've looked at. There you can search it, gives you the alerts. So the yellow flags or low orange flags or medium
04:16
and then it's got red flags. What? You're high
04:19
outputs spider ring activity as it crawls, throwing tries to find information here
04:26
and then active scan. Now, this finished pretty quickly. Um, you know, depending on the site and what you're doing, it can take a lot longer to go through this process. But as you can see, it does some path reversal. Remote file inclusion. It looks at things like SQL Injection,
04:42
external reader Rex Buffer overflow. So it's hitting on all of those high points with respect to vulnerabilities we want to find on websites
04:48
and you know, the common ones that are associated with websites. Now,
04:53
the reason I wanted to do the update was to show you this function. When you right click a link, you can actually go to open in your l know there's a number of other options here, but you can open your Ellen open fire Fox.
05:08
No,
05:09
this helps me to focus and kind of wrap my brain around what I'm looking at and what I'm doing. So I like this interface. I just continue to the target here because it takes the components that you were looking at in a wasp,
05:23
and it gives you the site so you can see exactly what it is that it's referencing with respect to the page. So you've got Paige alerts that are specific to the page again. Low, medium high on dhe, then site alerts, which is across the site. Low medium, huh? Um The other thing that I like about this is that you've got this show enable.
05:42
So if there were fields on this that maybe were hidden or enable that you can manipulate our have been put to put into
05:48
this would allow you to do so.
05:51
Now you can see the history down here at the bottom, so it shows you everything that it did. And you can go back
05:58
and actually see
06:00
what a WASP was doing with respect to the request it made to this particular u R l and then the response that it got.
06:11
Okay, so you can do that for any given area. Here is well, so if I go to page alerts,
06:15
it breaks it down by that low medium high for the page,
06:18
and then it gives us this X frame was not set. And then we can go into the actual link
06:24
and it pulls up a description of the information what it is. Why has the risk scores that it has? It provides some reference ideas and information and then a solution. So, you know, this makes it a lot cleaner to navigate a loss. I still am a fan of the You know, the traditional panel here,
06:42
Um and it's, you know, you can find everything. I'm looking at here within that, but it's just for me. It's a lot cleaner to be able to see it in this format.
06:49
The other thing that I like here is you can hit that, plus sign down on the bottom and do this show HTML report, which provides this button.
06:58
And then you could produce
07:00
the actual report for the scan. So if you needed to, you know, if you're like me, I like being able to do my research at the computer, kind of get everything I need. But then I might generate a Pdf report or something like that. And then I like to read it and flip through it.
07:15
Maybe, you know, go sit somewhere else and just wrap my brain around what's going on within the report and what next steps I could take from there. But it does that. And then you can do
07:25
a print the pdf on this and then have it as a reference for evidence or report elsewhere as well as well.
07:30
But again, for like, side alerts, we've got low and so this breaks everything down
07:35
within that you could go into each of these different areas,
07:40
and it gives you the referenced link,
07:43
an additional information on the description
07:46
as well as some parameters, et cetera. Now the other thing that you can do here is that if this were out of scope and you didn't want, want certain things to happen, there, you can see automatically. It has. It is such you can add it to scope, and that allows you to take advantage of some additional functions and features,
08:01
or if it needs to be out of scope, you can remove it from that so that you don't accidentally do anything you shouldn't be doing.
08:07
Now. I know that that's not very deep, and there's a lot of additional information that this hands. But this is an excellent starting point. With respect to this tool in, you could easily without knowing anything about it. Now jump in, do a scan of the site that you own
08:24
on dhe, then start to look through the information for vulnerabilities that it flags in additional information that it provides.
08:30
So with that in mind, let's go ahead and jump back over to our slides.
08:35
Well, I hope you enjoy that high level overview of a wasp zap this video. We primarily focused on the automated impasses gaming capabilities in that neat, gooey interface that we can lay over the site to kind of you the alerts and site related activities as they come up. We didn't touch too heavily on the fuzzier capabilities, force browsing
08:54
Web sockets and things of that nature that are also a part of a lost stamp. Again, this tool is very extensive and has some
09:01
unique capabilities that you can customize and shaped to fit your needs and use cases. So I encourage you to do additional research on the tool and find some ways that it can fit maybe into your practice or your day to day operations. Well, with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

OWASP ZAP Tool (BSWR)

The OWASP ZAP (Zed Attack Proxy) is a Java-based penetration testing tool for web applications that helps in finding vulnerabilities.

This tool offers fuzzing, scripting, spidering, and proxying functionalities. OWASP is extensible (additional plugins can be added), offers headless mode and API for automation.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor