RIFT VALLEY INSTITUTE OF

BUSINESS STUDIES
For all Your Technical Training Needs
Ministry of Education
Main Campus: Railways Grounds next to Railways Police Station.
Reg No. MOHEST/PC/1918/012
P. O. Box 17207 – 20100, NAKURU TVETA/TVC/0056/2016
Tel: 0715-111-101 / 0715-111-103 Email: [email protected]:www.rvibs.ac.ke

Cybersecurity
Lab 7 Instructions

Session Hijacking - Using ZAP (Zed Attack

Proxy)
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained
under the umbrella of the Open Web Application Security Project (OWASP). ZAP is
designed specifically for testing web applications and is both flexible and extensible.

At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the
tester’s browser and the web application so that it can intercept and inspect messages
sent between browser and web application, modify the contents if needed, and then
forward those packets on to the destination. It can be used as a stand-alone application,
and as a daemon process. [...]

>> ZAP Download

Objectives
 Intercept the Traffic between server and client

Requisites
 Windows Server 2012 or 2016 virtual machine (Attacker)
 Windows 10 virtual machine (Target)
Setup the Proxy
1. Log into the Windows 10 and launch any browser, in this lab: Firefox.

2. Go to Settings > Network Settings

3. On Proxy Settings, check the box Manual Proxy Configuration, and type the
Attacker machine's IP address on port 8080 as shown below:

4. You also can configure directly on Internet Properties on Control

Panel > Connections Tab > LAN Settings
 Check the Proxy
Server checkbox and type the attacker machine's IP address and port
 8080 as shown below:

Setting Up ZAP (Zed Attack Proxy)

Switch to Attacker Machine (Windows Server).

Note: Make sure to install Java Run time

1. Download ZAP > https://www.zaproxy.org/download/

2. On installatin process, make sure to select the option: "No, I do not want to
persist this session at this moment in time":
3. On the OWASP ZAP main window, click on the "+" icon in the right pane, then
add the Break tab, as shown below:

The Break tab allows you to modify a response or request when it has been
caught by the ZAP.

It also allows you to modify some elements that you cannot modify through your
browser; these include: The Header, Hidden fields, Disabled fields, Fields that
use Javascript to filter out illegal characters.

4. Once the Break tab is added, you need to configure the ZAP to work as a proxy,
go to Options by click on gear icon on the top, as show below:
5. On the Options window, select the Local Proxies from the left pane; The address
is the Windows Server IP address and port is 8080 by default:

6. Go back to ZAP main window and click on Green Button (Set break on all
requests and responses) as shown below:
 This button sets and unsets a global break point that will trap and display the
next response or request in Break tab from the Target's machine.

You can modify any part of the request or response that you want and send it to
the victim's application by clicking either Step or Continue.

Alternatively, you can click Drop to dispose of the request or response.

1. Switch back to the target machine(Windows 10) and launch the same browser
in which you have configured the proxy settings.

2. Type the URL: www.certifiedhacker.com , in case you got any warning messages
just accept the risk and continue.

3. Now, switch to the attacker machine(Windows Server), you will notice that the
ZAP proxy is started capturing the requests of the target.
4. Now click the button 'submit and step to the next request' until you capture
the GET request of the browsed website.