Vulnerability Management / Web Testing with OWASP ZAP

September 22, 2023 0 Comments

In this antisyphon “Intro security” lab, I will be setting up a simple Python Web Server and a vulnerable web server called DVWA. These are designed from the ground up to teach people like me about a number of web application attacks.

I will then use a free tool called OWASP ZAP to automatically look for some vulnerabilities on these web servers.

The first thing I am going to do is to open up an ubuntu command, prompt because I am going to use ubuntu to generate the web server in Python:

I am going to use the “ifconfig” command as I will need my Linux IP address later on when scanning for vulnerabilities:

Now I am going to CD into the intro labs and I am going to start the “Damn Small Vulnerable Web app” which is very small web server riddled with vulnerabilities.

Now, let’s start ZAP and let’s do a quick test of the Python Web Server:

First, select Automated Scan

Now, I need to actually connect into the “Damn Vulnerable Web App” so I am going to connect to my Linux IP address on Port 65412 and I am going to do a full scan against that one. Then, I select “Use traditional spider” and then I select “Attack”. Now it’s going to start attacking the damn vulnerable web app:

The first thing it’s doing is actually going through and spidering the website to identify all the different URLs. Once this process is done, it will start attacking that web server.¬†While the scan is running it’s actually filling out the alerts that it’s identifying in that web server. When it gets done scanning, I can select Alerts:

We can see that several vulnerabilities with different level of severity were identified (Cross site scripting, SQL injection, Buffer Overflow etc…). Next step would be to analyse this Alerts tab and try and fix these vulnerabilities on the web server.

Leave a Reply

Your email address will not be published. Required fields are marked *