Day 17: OWASP ZAP – A Tool for Testing Web Applications Vulnerabilities

OWASP ZAP – A Tool for Testing Web Applications Vulnerabilities

Open Web Application Security Project Zed Attack Proxy is also known as OWASP ZAP. It is an automation-capable open-source penetration testing tool. ZAP is flexible and adaptable and was created primarily for testing web applications.

OWASP ZAP interface

OWASP ZAP can be an excellent option for you if you’re a white-hat hacker or IT security student. Although it is free, it needs IT security expertise to function effectively. It is intended for users with a variety of security experiences:

  • Developers
  • Technical Testers
  • Security professionals
  • newcomers to penetration testing

In addition to a suite of tools that let you locate security flaws manually, ZAP offers automatic scanners.

NB: Java 8+ is needed to run ZAP successfully.

The question of why OWASP ZAP is raised. A GOOD question is that! Burp Suite is what the majority of members of the infosec community use, but Burp Suite lacks a few advantages and functionalities that OWASP ZAP offers.

How ZAP works
Benefits of using OWASP ZAP?

It is open source and costs nothing. There is no paid edition, no paywall-protected content, and no proprietary code. Additionally, there are a few feature advantages to choosing OWASP ZAP over Burp Suite:

Automated Web Application Scan: This will automatically construct a sitemap, scan both passively and aggressively, find vulnerabilities, and scan the web application. Burp charges for this feature.

Web spidering: This technique lets you obliviously create a website map. Burp charges for this feature.

Unthrottled Intruder: Within OWASP, you can brute force login pages as quickly as your computer and the web server can handle. Burp charges for this feature.

Burp offers various features and extensions that ZAP lacks, such as the ability to conduct login timing attacks. 

Download and install ZAP from the official website via this link.

Now to a popular question I have been asked . What names represents what in Burp Suite and ZAP. Checkout the different names in the comprehensive image provided by Tryhackme.

References 
  1. https://www.zaproxy.org/docs/desktop/ui/
  2. https://www.zaproxy.org/getting-started/

Tryhackme has a nice room to better help you utilize this tool. Hope this overview of the Zed Attack Proxy (ZAP) was interesting.

This will be all for the Day 17 post. Catch you in the next post 😉