Skip to main content

A quick tutorial for OWASP ZAP tool for beginners

OWASP's ZAP is a security tool and uses a proxy based approach to do its job. And because of this, the first thing we need to setup is proxy LAN settings.

Please download OWASP ZAP and then fire it up. Once it is up and running, togo Tools->Options->Local Proxy.

Once we have this setup, we proceed to configure your browser's proxy settings.

Fire up chrome, got to Advance settings -> Change proxy settings .. -> LAN Settings and under Proxy server, please change "Address" to localhost and port to "8080".

Now you're ready to go login to your website and start running scanning. What is happening that any traffic that pass through your browser get analyzed. The advantage of this approach is that, you don't have to setup username/password or oAuth token and a bunch of security stuff.

Of course, you can choose and easier approach (but don't have much use case in general) which is to use "Quick start" feature. All you need to do is, enter a valid url and press "atack" button.

Attack terminology

1. Spider - allows you to discover external links in current url / page. (ZAP Ajax spider is defaulted to Firefox, if you run your scan over chrome, you probably get some alerts.

2. Fuzzing - tried to inject custom data to a GET / PUT / POST request to crash the system.

3. X-Content-Type-Options Header Missing - this prevent your browser from initiating MIME sniffing. This prevent them from manipulated into downloading some MIME content which can make your site vulnerable.

4. Incomplete or No Cache-control and Pragma HTTP Header Set - You did not turn off caching on  your site properly. You probably get heaps of these messages. The proper way to turn this off can be found here.

5. Cookie without a secure flag - usage of unsecured cookie and might expose content of your cookie. This is relatively easy to solve.

6. Cookie No HttpOnly Flag - This means you need to set "HttpOnly" flag for your cookie to prevent javascript manipulation to your cookie.


Popular posts from this blog

Android Programmatically apply style to your view

Applying style to your view (button in this case) dynamically is pretty easy. All you have to do is place the following in your layout folder (res/layout)
Let's call this file : buttonstyle.xml
<?xml version="1.0" encoding="utf-8"?> <selector xmlns:android=""> <item android:state_pressed="true" > <shape> <solid android:color="#449def" /> <stroke android:width="1dp" android:color="#2f6699" /> <corners android:radius="3dp" /> <padding android:left="10dp" android:top="10dp" android:right="10dp" android:bottom="10dp" /> </shape> </item> <item> <shape> <gradient android:startColor="#449def" a…

OpenCover code coverage for .Net Core

I know there are many post out there getting code coverage for .dotnetcore. I'm using opencover to address this needs.

In case, you do no want to use opencover and wanted to stick with vs2015 code coverage, you can try to copy Microsoft.VisualStudio.CodeCoverage.Shim.dll from C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\Dynamic Code Coverage Tools\coreclr\ and drop it into your project "bin\Debug\netcoreapp1.0" folder.  Please note : you need to be on VS2015 Enterprise to do this. 

To get started, I guess we need to add OpenCover and ReportGenerator for our test projects, as shown in diagram below :-

When nuget packge gets restored, we will have some binaries downloaded to our machine and we going to use this to generate some statistics. I think the biggest issue is to getting those command lines work.

In dotnetcore, we run test project using "dotnet test" (assuming you are in the test project folder - if not please go there)  So we add this …

DataTable does not have AsEnumerable

I have problem locating my AsEnumerable extension method in my DataTabe (System.Data). Thank god for this post by Angel

I was able to find this method once i have added reference to the following assembly.

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll

Try to do a dummy Build and you should be able to get it.