Packages and Binaries:
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Installed size: 272.18 MB
How to install: sudo apt install zaproxy
owasp-zap
[email protected]:~# owasp-zap -h Found Java version 17.0.6 Available memory: 14912 MB Using JVM args: -Xmx3728m Usage: zap.sh [Options] Core options: -version Reports the ZAP version -cmd Run inline (exits when command line options complete) -daemon Starts ZAP in daemon mode, i.e. without a UI -config Overrides the specified key=value pair in the configuration file -configfile Overrides the key=value pairs with those in the specified properties file -dir Uses the specified directory instead of the default one -installdir Overrides the code that detects where ZAP has been installed with the specified directory -h Shows all of the command line options available, including those added by add-ons -help The same as -h -newsession Creates a new session at the given location -session Opens the given session after starting ZAP -lowmem Use the database instead of memory as much as possible - this is still experimental -experimentaldb Use the experimental generic database code, which is not surprisingly also still experimental -nostdout Disables the default logging through standard output -silent Ensures ZAP does not make any unsolicited requests, including check for updates Add-on options: -openapifile Imports an OpenAPI definition from the specified file name -openapiurl Imports an OpenAPI definition from the specified URL -openapitargeturl The Target URL, to override the server URL present in the OpenAPI definition. Refer to the help for supported format. -autorun Run the automation jobs specified in the file -autogenmin Generate template automation file with the key parameters -autogenmax Generate template automation file with all parameters -autogenconf Generate template automation file using the current configuration -certload Loads the Root CA certificate from the specified file name -certpubdump Dumps the Root CA public certificate into the specified file name, this is suitable for importing into browsers -certfulldump Dumps the Root CA full certificate (including the private key) into the specified file name, this is suitable for importing into ZAP -host Overrides the host used for proxying specified in the configuration file -port Overrides the port used for proxying specified in the configuration file -script Run the specified script from commandline or load in GUI -hud Launches a browser configured to proxy through ZAP with the HUD enabled, for use in daemon mode -hudurl Launches a browser as per the -hud option with the specified URL -hudbrowser Launches a browser as per the -hud option with the specified browser, supported options: Chrome, Firefox by default Firefox -quickurl The URL to attack, e.g. http://www.example.com -quickout The file to write the HTML/JSON/MD/XML results to (based on the file extension) -quickprogress: Display progress bars while scanning -addoninstall Installs the add-on with specified ID from the ZAP Marketplace -addoninstallall Install all available add-ons from the ZAP Marketplace -addonuninstall Uninstalls the Add-on with specified ID -addonupdate Update all changed add-ons from the ZAP Marketplace -addonlist List all of the installed add-ons -graphqlfile Imports a GraphQL Schema from a File -graphqlurl Imports a GraphQL Schema from a URL -graphqlendurl Sets the Endpoint URL -notel Turns off telemetry calls zaproxy
[email protected]:~# zaproxy -h Found Java version 17.0.6 Available memory: 14912 MB Using JVM args: -Xmx3728m Solution
Next, launch the target application.
This time, I used OWASP Juice shop with Vagrant and IP “192.168.33.10” was assigned.
root@kali:~# git clone https://github.com/bkimminich/juice-shop.git --- root@kali:~# cd juice-shop/vagrant/ root@kali:~/juice-shop/vagrant# vagrant up ---After that give a specific name for OWASP juice shop.
This time, give the following line in “/etc/hosts”.
2. Other setup
At first, open the ZAP GUI console.
Go to “Tools” -> “Options” -> “Local Proxies”.
By default, it is configured to use “http://localhost:8080”.
We have to configure the web browser to use a proxy on port 8080.
Then, change the mode to the “Protected mode” not to implement unintended attack.
If we select the “Protected mode”, we have to specify the target URL.
The web browser we use should be Firefox because it does not have any XSS protection.
However, this time, Google Chrome was used.
If the configuration is correct, we can find the target URL in the “Site” section.
This means now we can go to the next step.
Since we’re using protected mode, we have to include the site into the “context”.
We need to right click the site, then go to “Include in Context”.
This time, we don’t have any context so click the “New Context” and we can see this window.
So click “OK”.
After that, we can see that some entries are added to the site.
3. Active scanning
Now we have a target machine.
Try to attack by right clicking the “http://juiceshop” -> “Attack” -> “Active Scan”.
We can confirm that tons of HTTP requests were being sent on the “Active Scan” tab. 
After the finishing, we can find some security alerts on the “Alerts” tab
4. Saving the session
We can save the session data by going to “Snapshot Session As…”, we cam save the current session.
5. Generate a report
We can create a report of the each test as HTML or XML file.
Go to “Report” -> “Generate HTML Report…”.
6. Next task
This time, I could not find some vulnerabilities that OWASP juice shop has.
Next time, try to focus on each vulnerability and by customizing policies, achieve this purpose
Step-by-step – OWASP ZAP Kali Installation Guide
You are Welcome! The Tutorial shows you Step-by-Step How to Install and Getting-Started with OWASP ZAP Kali GNU/Linux Desktop.
And OWASP Zed Attack Proxy for Kali is one of the World’s most Popular Free security Tools and is actively Maintained by a dedicated International Team of Volunteers.
Finally, this guide includes detailed instructions about to Getting-Started with OWASP ZAP on Kali.
1. Launching Terminal
2. Installing Java
Contents
Showing Ads here is the best solution I found for not embarassing somebody about participating in a #%$Foundation^.
«When the Last Tree has been cut down, the Last Fish caught, the Last River poisoned, only then will we realize that One Cannot Eat Money.»
«No usable Computer exists today with completely Open Software and Hardware (as much as some companies want to Market themselves as such).»
Follow Us
The GNU/Linux Free Software Phylosophy
Steve Jobs’ Last Words
«Being a Winner in a Free Computing OS Mission means to adopt a Commercial like Strategy. Transcending Duality in Oneness and so dispensing both Free and Non Free Software. Cause evangelizing Freedom in a Non Free World is like keeping a Trojan Horse. Hallelujah!»
«Using the Money just for buying Stuff and Not Supporting the Free Gift Philosophy is a sign of a Selfish and Narrow Mind.»
What can Save the World from a Blind and Quick Self-destruction.
The Immediate and Humble Mass Conversion to the Spiritual Way!
Because Earth & Nature has been Ravaged without Pity by the Wild and Selfish mass Competition to Win and Shown that U’re someone Better because you got a Lot of fla$hY Power$$$.
«Taking care if somebody is liking, following, or buying is just a serious hidrance on the priceless Way of Creative Freedom.»
Credits
Everlasting Glory to God, Jesus Christ, The Holy Spirit, Ganesha, Shiva, Vishnu, Krisna, Laozi, Buddha, Bodhidharma, Ma Gcig, Hakuin, Ikkyu, Nagarjuna, Tilopa, Naropa, Milarepa, Suhrawardi, St Dismas, St Francesco, St Teresa, St John, St Filippo, Eckehart. All The Holy Divinities, Avatars, Saints, Mystics, and True Spiritual Masters. Because they are in the Eternal Light of Truth & Delight Enlightening a World of Darkness, Nescience, Blindness, Uneasiness and Falsehood!