National Cyber Warfare Foundation (NCWF)

Welcome back, aspiring hackers! Web apps are often the best vector to an organization’s server/database, an entry point to their entire internal network. By definition, the web app is designed to take an input from the user and send that input back to the server or database. In this way, the attacker can send their […]

The post Web App Hacking: OWASP-ZAP Introduction first appeared on Hackers Arise.

Welcome back, aspiring hackers!

Web apps are often the best vector to an organization’s server/database, an entry point to their entire internal network. By definition, the web app is designed to take an input from the user and send that input back to the server or database. In this way, the attacker can send their malicious input back to the servers and network if the web app is not properly secured.

OWASP ZAP is a free, open-source web application security scanner designed to find security vulnerabilities in web applications. It functions as an intercepting proxy, sitting between your browser and the web application being tested, allowing you to intercept, inspect, and modify HTTP/HTTPS traffic in real-time.

In this tutorial, we will take a look at this powerful and versatile tool.

Step 1: Fire Up Kali

Let’s begin in the usual way—by firing up Kali. In this tutorial, I will be using Kali 2025.2. Earlier versions of Kali have OWASP ZAP installed, but not current. We can easily install it via APT from the Kali repository:

kali> sudo apt install zaproxy -y

Step 2: Start OWASP ZAP

If you want to start OWASP ZAP from the command line, you can simply type:

kali> zaproxy

You will first be greeted by a screen like below. After choosing whether to save the ZAP session, click Start.

At the very top, we have a toolbar. I want to point out a few important elements:

Mode Selection – Allows you to switch between different operating modes in ZAP:
- Safe Mode: No potentially harmful actions (like scanning or attacking) are allowed. Ideal for passive analysis.
- Protected Mode: Scanning and attacking are allowed, but only for targets you’ve explicitly marked as in-scope.
- Standard Mode: Full functionality is enabled with no restrictions.
- Attack Mode: ZAP actively scans new targets as you browse. Useful for automated exploration and testing.

Options – Provides access to configuration settings for ZAP’s tools, interface, scanning behavior, and more.

Add-ons – Lets you manage and install additional components or plugins to extend ZAP’s functionality.

Site Tree – Displays a hierarchical view of the application as it’s explored or scanned, showing all discovered pages and endpoints.

Tabs (Alerts, History, etc.) – Present detailed information:
- Alerts: Security findings from passive and active scans.
- History: A log of all HTTP requests and responses.
- Other tabs may include Breakpoints, Scripts, and more, depending on your setup.

Request/Response Window – Lets you inspect, modify, resend, or intercept HTTP requests and responses.

Step 3: Weaponize OWASP ZAP

I suggest that when you’re starting out with ZAP, you install some useful add-ons to enhance its capabilities. Click on Add-ons in the toolbar, then switch to the Marketplace tab. After checking for updates, you can find and install the following useful add-ons:

Technology Detection – Helps identify technologies used by the target application (e.g., frameworks, servers, libraries).

Advanced SQL Injection Scanner – Enhances ZAP’s ability to detect complex SQL injection vulnerabilities (Similar to SQLmap).

Python Scripting – Enables the use of Python scripts for custom scanning, processing, or automation.

SAML Support – Adds functionality for working with SAML-based authentication mechanisms.

Step 4: Install the Proxy into Browser

To make using the proxy easier, I’ll install a browser extension called Proxy SwitchyOmega.

With this extension, we can create a dedicated profile for ZAP by setting the proxy server to
localhost and the port to 8080.

After that, we’ll be able to forward traffic through ZAP to target websites simply by clicking on the extension and selecting the ZAP profile. However, when we try to open a website for the first time, we’ll encounter an SSL error. This happens because ZAP uses its own certificate to intercept HTTPS traffic.

To resolve this, we need to install ZAP’s SSL certificate in the browser.

We need to open Options in ZAP and download the certificate, as shown in the screenshot below.

After that, we need to open the browser settings and import the certificate.

If everything is set up correctly, the website will open without an SSL error.

Step 6: Using OWASP ZAP

Let’s say our target is the website vesti.ru. When we open it in the browser, ZAP will display many entries—including various CDNs and third-party domains. To keep our testing environment clean and focused, it’s recommended to add the target website to a context. This helps filter out unrelated traffic that isn’t useful for our current testing.

A context is a way to configure settings specifically for the target website. Within a context, we can define exclusions, choose technologies, and manage authentication and access control.

Now, using the context, we can run the Spider to gather the pages that the website presents.

Now, in the Sites tree, we can see much more information. We have a significantly broader testing surface. Additionally, in the Alerts tab, we can review the issues identified by passive scanning.

Next, if we find a valuable request that we want to manipulate, we can open it in the request editor by right-clicking on it and selecting Open/Resend with Request Editor.

Conclusion

OWASP-ZAP is open-source web app security testing tool that bridges the gap between automated scanning and manual exploitation. Unlike commercial tools that cost thousands, ZAP gives you enterprise-grade functionality without the licensing headaches.

In future tutorials, we will further explore the capabilities of this powerful web app testing application, so keep coming back, tenderfoot hackers!