[ TryHackMe] Introduction to OWASP ZAP

Room Link: https://tryhackme.com/room/learnowaspzap

[Task 1] Intro to ZAP

#1 What does ZAP stand for?

Zed Attack Proxy

[Task 2] Disclaimer

Read disclaimer

[Task 3] Installation

Go https://www.zaproxy.org/download/ choose Install ZAP on an operating system of your choice

[Task 4] How to perform an automated scan

Read Step 4 and learn how you can perform an automated scan. The easiest way to use the Ajax Spider is with HTMLUnit. To install HTML Unit use the command

sudo apt install libjenkins-htmlunit-core-js-java

[Task 5] Manual Scanning

You can set a port for local proxies from

Tools -> Options -> Local Proxies

For getting ZAP Certificates you have to navigate to

Tools -> Options -> Dynamic SSL Certificates

Save the certificate and import it to your browser ( Eg: Chrome, Firefox )

#1 What IP do we use for the proxy?

127.0.0.1

[Task 6] Scanning an Authenticated Web Application

Read the whole task step by step

[Task 7] Brute-force Directories

Read the whole task step by step

[Task 8] Bruteforce Web Login

Bruteforce http://10.10.xx.xx/vulnerabilities/brute/ this by reading the whole step given there.

#1 Use ZAP to bruteforce the DVWA ‘brute-force’ page. What’s the password?

password

[Task 9] ZAP Extensions

You can install an extension in ZAP. Follow the step given there.

[Task 10] Further Reading

For further reading you can check:

Desktop eManuel: https://www.zaproxy.org/docs/desktop/ui/
OWASP ZAP Forums: https://groups.google.com/forum/#!forum/zaproxy-users

Congratulations
You’ve completed the room! and learned How to use ZAP properly.