A quick tutorial for OWASP ZAP tool for beginners

OWASP's ZAP is a security tool and uses a proxy based approach to do its job. And because of this, the first thing we need to setup is proxy LAN settings.


Please download OWASP ZAP and then fire it up. Once it is up and running, togo Tools->Options->Local Proxy.

Once we have this setup, we proceed to configure your browser's proxy settings.


Fire up chrome, got to Advance settings -> Change proxy settings .. -> LAN Settings and under Proxy server, please change "Address" to localhost and port to "8080".

Now you're ready to go login to your website and start running scanning. What is happening that any traffic that pass through your browser get analyzed. The advantage of this approach is that, you don't have to setup username/password or oAuth token and a bunch of security stuff.

Of course, you can choose and easier approach (but don't have much use case in general) which is to use "Quick start" feature. All you need to do is, enter a valid url and press "atack" button.

Attack terminology

1. Spider - allows you to discover external links in current url / page. (ZAP Ajax spider is defaulted to Firefox, if you run your scan over chrome, you probably get some alerts.

2. Fuzzing - tried to inject custom data to a GET / PUT / POST request to crash the system.

3. X-Content-Type-Options Header Missing - this prevent your browser from initiating MIME sniffing. This prevent them from manipulated into downloading some MIME content which can make your site vulnerable.

4. Incomplete or No Cache-control and Pragma HTTP Header Set - You did not turn off caching on  your site properly. You probably get heaps of these messages. The proper way to turn this off can be found here.

5. Cookie without a secure flag - usage of unsecured cookie and might expose content of your cookie. This is relatively easy to solve.

6. Cookie No HttpOnly Flag - This means you need to set "HttpOnly" flag for your cookie to prevent javascript manipulation to your cookie.