1

ZAP download, installation and configuration to intercept!

(Of course I’ll guide you during the lab hours again.
By this time you can try by yourself)

Introduction: The OWASP’s Zed Attack Proxy (ZAP) is one of the world's most popular
free security tools and is actively maintained by hundreds of international volunteers*. It can
help you automatically find security vulnerabilities in your web applications while you are
developing and testing your applications. For more details: https://www.zaproxy.org/

1. Installation
1. Download ZAP from
https://www.zaproxy.org/download/

or from BrightSpace

2. Install and open ZAP

For windows installation:

Download window 64 version and double click on it to install
To run zap: double click on desktop icon.

For linux: download ZAP_2_7_0_unix.sh and copy to a zap folder.

Now execute this shell file as follows:
~/zap $ sudo ./ ZAP_2_7_0_unix.sh
It will install zap in ~/zap/ folder…

To run the zap: ZAP Quick start guide: https://

~/zap $ ./zap.sh www.zaproxy.org/getting-started/

2. Installing certificate
Since all requests and responses are proxied by ZAP, the certificate verification will
fail for sites using SSL (HTTPS) and the connection will be terminated. To prevent
this from happening, ZAP generates an SSL certificate for each host, signed by its
own Certificate Authority (CA) certificate. This CA certificate is generated the first
time ZAP is run, and is stored locally. To use the ZAP Proxy with these websites,
you will need to install ZAP’s CA certificate as a trusted root in your browser.
1. Go to Tools -> Options -> Dynamic SSL Certificate. Click Generate and
then click Save.
2. Save the certificate in the desired location. Say in desktop.
3. Open your browser (firefox) and install the Certificate to your browser.
 2

How to install the saved owasp_zap_root_ca certificate in Mozilla fireforx:

Go to Preferences  tab advanced  cryptography/certificates  view certificates
OR

Options  privacy & security view certificates

Then,

1. Click Authorities tab

2. Click Import button (at the bottom line) and choose the saved
owasp_zap_root_ca.cer file
3. In the wizard choose to trust this certificate to identify web sites (check on the
boxes)
4. Finalize the wizard pressing ok…

3. Configuring Proxy for both browser and ZAP

1. For browser
1. Open your preferred browser and set up the proxy as shown here (You
can use port 9090 as the port).
2. For Mozila firefox: option  General Network setting  manual proxy
 3

2. For ZAP
1. In the ZAP User Interface: go to Tools --> Options --> Local Proxy
2. Make sure the port is set to 9090 (or the port you have configured in your
browser).

3. Open any website using SSL in your browser and make sure the site
shows up in the sites list.

How to intercept the communication between server and browser using zap’s
break point:
OPEN FIREFOX BROWSER FROM ZAP’S ICON AS FOLLOWS:
 4

NB: Before intercepting: Keep your webgoat on run to complete a lesson say, Http Basics.

 You need to set break point just before your WebGoat activity. A green circle button on
top horizontal panel. (NB: when you press, it becomes red!)


 5

 Then start activity in webgoat (say submit i.e. requesting). Your browser now waiting for
the response from server.
 Go to ZAP, you will see your request on the right side screen…. Edit according to your
requirements . . . then press submit and continue to the next break point button. (A blue
play button in the top panel)

 You can follow: https://www.youtube.com/watch?v=fa5LAfXmwoo

Enjoy the hacking

Ref: https://security.secure.force.com/security/tools/webapp/zapbrowsersetup