OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities by sanjeevm

View this thread on: hive.blog | peakd.com | ecency.com

utopian-io · @sanjeevm · Dec 28 '17

$22.58

OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities

### If you are an Web Application Developer, then security vulnerabilities will be in your top of list to do, before releasing the Web Application to public. And OWASP (Open Web Application Security Project) helps a lot to improve your application security by providing a tool called Zed Attack Proxy (ZAP).

ZAP from OWASP is an open source free security tool which can help you to find security vulnerabilities in your web applications. You can use it during your development and testing phase or after development completion as well. Its also used for penetration testing or manual security testing.

The project has got its own Wiki : https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

You can download the ZAP tool from there, and then go through the [Getting Started Guide](https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf) or the [User Guide](https://github.com/zaproxy/zap-core-help/wiki).

After downloading and installing it , you can start using it for penetration testing for your application. For the purpose of demonstration, I will be trying to attack Steemit.com to see what it gets to us.

![image.png](https://res.cloudinary.com/hpiynhbhq/image/upload/v1514458523/jbthfr4nvzncdano2tva.png)

As you see in the above screen print, this is the page that opens up after you start the application. And you can put the URL and then click on Attack button. I hope Steemit.com does not mind me doing this as I am doing it for demonstration of a good cause. Once you click that button, it will start sending requests to the site and analyze the vulnerabilities.

So after few minutes, it will present you with all the list of vulnerabilities .

![image.png](https://res.cloudinary.com/hpiynhbhq/image/upload/v1514458828/vqarunsk83kblfwchbfv.png)

As you can see in the above screen print, its reporting 4 different alerts and clicking on each of them will show you the potential implication of that. Let's go ahead and click few of the alerts that is reported in the Cookie without Secure flag :

![image.png](https://res.cloudinary.com/hpiynhbhq/image/upload/v1514459837/oigqyhy5yexje8zp6pok.png)

As you can see, its reporting that a cookie named AWSALB is being set without the secure flag and it shows the value as well.

If we click the second one then we see another Cookie named stm1 is also being set similarly.
![image.png](https://res.cloudinary.com/hpiynhbhq/image/upload/v1514459993/ngzzqlzm0hafp7z0pnqo.png)

And then it also shows up the potential implications. For example, if a Cookie is set without Secure Flag, then it can be accessed via unencrypted connections. So as an application developer you will need to ensure that the secure flag is set for cookies as they contain sensitive information. Once you fix that, you can scan it again, and see it does not show up again.

You can set the ZAP as proxy between your browser and your application, thus setting it as man-in-the-middle proxy. Then you can capture the request and response each time and analyze what is happening in between.

ZAP has lot of potential uses, however as part of this tutorial I wanted to spread the awareness about such a wonderful open source security tool. And also you can participate in their code contribution and translations. Hopefully they can also help you earn in this utopian platform.

Let me know, if you have any questions or need any help on this further.

<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@sanjeevm/owasp-zed-attack-proxy-an-open-source-security-tool-to-find-security-vulnerabilities">Utopian.io - Rewarding Open Source Contributors</a></em><hr/>

👍 utopian-io, dez1337, somadeb, sanmi, prabalmallick, curx, ranjangjang, shreyansh, amanprem, sweetbbsr, samarbbsr, xpnexindia, soubhagya, sushnanda, kween001, alexandraioana26

properties (23)vote details (16)

voter	rshares	pct
dez1337	26,598,956,069	35%
sanmi	17,160,476,990	100%
sweetbbsr	3,825,919,507	100%
ranjangjang	7,093,374,393	100%
shreyansh	5,953,633,419	100%
sushnanda	565,671,200	100%
amanprem	4,260,412,304	100%
samarbbsr	1,266,214,256	100%
prabalmallick	9,465,151,279	100%
utopian-io	2,323,856,359,974	1.82%
soubhagya	565,671,200	100%
somadeb	21,823,523,642	100%
xpnexindia	570,354,463	100%
alexandraioana26	151,690,813	100%
kween001	406,627,224	100%
curx	7,971,349,842	100%

@alexandraioana26 · Dec 29 '17

Thanks for your implication! cheers @sanjeevm

properties (22)

`author`	alexandraioana26
`permlink`	re-sanjeevm-owasp-zed-attack-proxy-an-open-source-security-tool-to-find-security-vulnerabilities-20171229t100238154z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"users":["sanjeevm"],"app":"steemit/0.1"}
`created`	2017-12-29 10:02:36
`last_update`	2017-12-29 10:02:36
`depth`	1
`children`	1
`last_payout`	2018-01-05 10:02:36
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	45
`author_reputation`	9,768,002,864,979
`root_title`	"OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	25,843,604
`net_rshares`	0

@sanjeevm · Dec 29 '17

Cheers :)

properties (22)

`author`	sanjeevm
`permlink`	re-alexandraioana26-re-sanjeevm-owasp-zed-attack-proxy-an-open-source-security-tool-to-find-security-vulnerabilities-20171229t102209450z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"app":"steemit/0.1"}
`created`	2017-12-29 10:22:06
`last_update`	2017-12-29 10:22:06
`depth`	2
`children`	0
`last_payout`	2018-01-05 10:22:06
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	9
`author_reputation`	693,019,143,130,738
`root_title`	"OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	25,846,234
`net_rshares`	0

@damla · Dec 29 '17

Thank you for the contribution. It has been approved.

You can contact us on [Discord](https://discord.gg/UCvqCsx).
**[[utopian-moderator]](https://utopian.io/moderators)**

properties (22)

`author`	damla
`permlink`	re-sanjeevm-owasp-zed-attack-proxy-an-open-source-security-tool-to-find-security-vulnerabilities-20171229t030529055z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"community":"utopian","app":"utopian/1.0.0"}
`created`	2017-12-29 03:05:39
`last_update`	2017-12-29 03:05:39
`depth`	1
`children`	1
`last_payout`	2018-01-05 03:05:39
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	172
`author_reputation`	87,558,484,358,792
`root_title`	"OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	25,795,594
`net_rshares`	0

@sanjeevm · Dec 29 '17

Thank you.

properties (22)

`author`	sanjeevm
`permlink`	re-damla-re-sanjeevm-owasp-zed-attack-proxy-an-open-source-security-tool-to-find-security-vulnerabilities-20171229t102104412z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"app":"steemit/0.1"}
`created`	2017-12-29 10:21:00
`last_update`	2017-12-29 10:21:00
`depth`	2
`children`	0
`last_payout`	2018-01-05 10:21:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	10
`author_reputation`	693,019,143,130,738
`root_title`	"OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	25,846,091
`net_rshares`	0

@mrsfox · Dec 28 '17

very useful information thank u :)))

properties (22)

`author`	mrsfox
`permlink`	re-sanjeevm-owasp-zed-attack-proxy-an-open-source-security-tool-to-find-security-vulnerabilities-20171228t112618896z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"app":"steemit/0.1"}
`created`	2017-12-28 11:26:18
`last_update`	2017-12-28 11:26:18
`depth`	1
`children`	1
`last_payout`	2018-01-04 11:26:18
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	36
`author_reputation`	1,540,896,119,541
`root_title`	"OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	25,672,491
`net_rshares`	0

@sanjeevm · Dec 29 '17

Thank you a lot, glad it makes some sense.

properties (22)

`author`	sanjeevm
`permlink`	re-mrsfox-re-sanjeevm-owasp-zed-attack-proxy-an-open-source-security-tool-to-find-security-vulnerabilities-20171229t101952018z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"app":"steemit/0.1"}
`created`	2017-12-29 10:19:48
`last_update`	2017-12-29 10:19:48
`depth`	2
`children`	0
`last_payout`	2018-01-05 10:19:48
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	42
`author_reputation`	693,019,143,130,738
`root_title`	"OWASP Zed Attack Proxy - An Open Source Security tool to find security vulnerabilities"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	25,845,917
`net_rshares`	0

@utopian-io · Dec 29 '17

### Hey @sanjeevm I am @utopian-io. I have just upvoted you!
#### Achievements
- You have less than 500 followers. Just gave you a gift to help you succeed!
- Seems like you contribute quite often. AMAZING!
#### Suggestions
- Contribute more often to get higher and higher rewards. I wish to see you often!
- Work on your followers to increase the votes/rewards. I follow what humans do and my vote is mainly based on that. Good luck!
#### Get Noticed!
- Did you know project owners can manually vote with their own voting power or by voting power delegated to their projects? Ask the project owner to review your contributions!
#### Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. <a href="https://discord.gg/zTrEMqB">Participate on Discord</a>. Lets GROW TOGETHER!
- <a href="https://v2.steemconnect.com/sign/account-witness-vote?witness=utopian-io&approve=1">Vote for my Witness With SteemConnect</a>
- <a href="https://v2.steemconnect.com/sign/account-witness-proxy?proxy=utopian-io&approve=1">Proxy vote to Utopian Witness with SteemConnect</a>
- Or vote/proxy on <a href="https://steemit.com/~witnesses">Steemit Witnesses</a>

[![mooncryption-utopian-witness-gif](https://steemitimages.com/DQmYPUuQRptAqNBCQRwQjKWAqWU3zJkL3RXVUtEKVury8up/mooncryption-s-utopian-io-witness-gif.gif)](https://steemit.com/~witnesses)

**Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x**

properties (22)