ZAP (Zed Attack Proxy) is an open-source web application scanner. It’s an OWASP flagship project that you can use to find vulnerabilities in a web application. Mozilla security expert Simon Bennetts gave a talk on ZAP’s HUD, which you can watch below.
You can use ZAP on Windows, Linux, and Mac OS. You’ll have access to multiple docker images, and ZAP is suitable for beginners as well as security professionals who are working on vulnerability analysis.
You can run ZAP in desktop and daemon modes. You can also use it manually at any stage in development. It’s a great tool for automated testing.
A Quick Look at ZAP
Let me show you around the ZAP tool. ZAP gives you two options: automated testing and manual testing.
If you choose automated testing, you’ll see this window:
Once you click the Attack button, ZAP will spider through the web application, exploring all the links it can find. It will not only scan for vulnerabilities but will also attack the web application. Make sure you use ZAP only on the web applications you have permission to use it on, or else it’ll be considered illegal.
When it comes to manual testing, you’ll have to provide the URL of the web application that you want to use ZAP on. But instead of using a spider, you’ll have to manually browse through the website. ZAP will do its job only on the web pages that you manually visit.
Once you run ZAP on the application, the History tab will show you a list of all the requests made to the browser.
To find out what else you can do with the results, you can right-click on any result on the site streak.
As you can see above, using ZAP can get a little complicated for complex operations. In such cases, ZAP HUD (heads-up display) will ease things for you.
ZAP HUD lets you use the features of ZAP without having to switch to the ZAP window every time.
To use HUD, you can check the Enable HUD box while starting the session. Once you start the session, you’ll see a window pop up, which means the ZAP HUD has started.
Want to learn about the ZAP HUD features? Click the Take the HUD Tutorial button, and you’ll be redirected to a page with everything you need to know.
To your left, you’ll see low, medium, and high levels of alerts. This makes it easy for you to look at the results because they’re just one click away. To your right, you’ll see options for site streak, spiders, and so on.
You can use HUD to intercept traffic, make changes to it, and pass it to the web application. It’s really useful for penetration testing and debugging.
If you don’t want to go around all the pages and try an exploit, you can use the attack mode. This option will automatically attack all the pages that you’ve added in scope.
Basically, ZAP stands in between your browser and the web server. HUD injects a JavaScript code in the application, which creates the frames and lets you use ZAP features.
At some point, you’ll wonder, “How does ZAP HUD do all this?” Well, good news! ZAP provides the source code publicly so you can learn how the magic happens.
All right, folks! That gives you some introductory information about ZAP HUD. I suggest you install ZAP HUD and explore more of its features.