How to Use OWASP ZAP

OWASP ZAP is an open-source web application security scanner.

Automated Scan

• Ajax Spider

  If you want to use the ajax spider with HtmlUnit (the easiest way), you may need to install the HtmlUnit.

  sudo apt install libjenkins-htmlunit-core-js-java
  

Intercept Request

1. Right-click on the URL.
2. Select “Break…”
3. The “Add Breakpoint” window will appear.

Manual Request

OWASP ZAP can resend a request in which you can manually edit the header like the Burp Suite’s Repeater.

1. Right-click on the URL.
2. Select “Open/Resend with Request Editor…”.

Brute Force Directories

1. Right-click on the URL.
2. Select “Attack” → “Forced Browse Site”.
3. At the bottom of the panel, the Forced Browse tab will appear, then open the tab.
4. Set the wordlist in the List.
5. Click “Start Forced Browse”.

Brute Force Credentials

1. Right-click on the URL.
2. Select “Attack” → “Fuzz…”.
3. The Fuzzer window will open.
4. Hihglight the target value (e.g. username, password, etc.).
5. Add a wordlist from local files.
6. Click “Start Fuzzer”.

ZAP Extensions

• ZAP add-ons
• HUNT Suite