Concern regarding ZAP configuration

117 views
Skip to first unread message

Ahammed Jamsheer

unread,
Mar 21, 2022, 7:41:58 AM3/21/22
to OWASP ZAP User Group

Hi Team, 

Here I have an ASP.NET web forms application with multiple sub-projects. Since we have some security issues in this project we have to do a security scan against the entire project.

To do the same, I have configured the "ZAP" tool in my machine and tried to scan the entire project.


  • I created an unencrypted url in my project.

1.png

  • Then I scanned my project manually and automatically to detect this unencrypted url. But the alert box only shows the description of Non anti CSRF token as a medium risk. And the url encryption issues not described there. 

2.png

It seems that some of the potential security risks like unencrypted URL query strings and authentication issues are not being captured during the scan.


  • Then I tried to scan the encrypted url with the user authentication and session. But at that time also it seems under the medium priority alert.

3.png

What I want is, to get the list of all potential security issues(unencrypted URL query strings, authentication issues and other security issues) and the areas which causing the issue from my project during the scan.

Is it possible to achieve the same using the "ZAP" tool?

If possible could you please provide more information on the same like the documentation or videos?


Ahammed Jamsheer

unread,
Mar 22, 2022, 10:22:44 AM3/22/22
to OWASP ZAP User Group
Hi ZAP Team,

This is the follow up email regarding the concern of ZAP security scan against the entire project email. Did you get a chance to look into the issue? , Could you please look into it and please update me on the same?

Thank you,
Jamsheer

Simon Bennetts

unread,
Mar 22, 2022, 1:33:49 PM3/22/22
to OWASP ZAP User Group
Hi Jamsheer,

Give us a chance, its only been one day :P

ZAP should detect those sort of problems, but only if they are exposed.

How did you explore your app?
Using one or both of the spiders?

Did they actually trigger that redirect?
Have a look in the sites tree to see if you can find it.

If the redirect was not triggered then ZAP will not be able to detect it.

Cheers,

Simon

Ahammed Jamsheer

unread,
Mar 24, 2022, 4:07:17 AM3/24/22
to OWASP ZAP User Group

Thank you Simon,

My responses are below, Please look into it.

How did you explore your app? Response : I explored my app by “Automated Scan and Manual Explore” by an Active scan.

Using one or both of the spiders?  Response : While attacking an automated scan the Ajax spider is using.

Did they actually trigger that redirect? Response : Yes, I triggered and I am able to see the url in the alert box with the description of Non anti CSRF token. But the url encryption issues are not described there.  

I am attaching a video to understand what I did here on my machine. Kindly Please watch the video and share your suggestions and concerns.

Note: The video is a WEBM File, So kindly please download and watch this video in Google chrome for better video quality otherwise it will be viewed in poor resolution if you try to play from the link(without download).

Video Link : https://drive.google.com/file/d/1udaj3Ssbzt_GVC-6S03NKLe8uI2HKHCo/view?usp=sharing


What I need is, to get the list of all potential security issues(unencrypted URL query strings, authentication issues and other security issues) with the details of the issues and the areas which causing the issue from my project during the scan.

Is it possible to get the list of all potential security issues in the entire project with a single scan? If yes, how could I scan like that?

If the url has many more security issues, How could I identify all the issues ?

Could you please provide more information on the same like a  documentation or as videos?


Thanks,

Jamsheer

Ahammed Jamsheer

unread,
Mar 28, 2022, 3:50:57 AM3/28/22
to OWASP ZAP User Group

Hi Simon,

This is the follow up email regarding the last email of ZAP security scan against the entire project(Included response of your questions and attached a video). Did you get a chance to look into my concerns?  Could you please look into it and could you please update me on the same?

Thanks,

Jamsheer



On Monday, March 21, 2022 at 5:11:58 PM UTC+5:30 Ahammed Jamsheer wrote:

Simon Bennetts

unread,
Apr 5, 2022, 5:57:08 AM4/5/22
to OWASP ZAP User Group
Hi Jamsheer,

I'm afraid videos are not a good way to submit support info - detailed descriptions are much better.
We have _lots_ of videos on how to use ZAP - all are under https://www.zaproxy.org/videos/ and the full list is on https://www.zaproxy.org/videos-list/

Re: "Is it possible to get the list of all potential security issues in the entire project with a single scan?"
No. Web security is complex. Automated tools like ZAP are good at finding some vulnerabilities but not so good at finding others.

If you effectively explore your application and then perform a full scan then you should be able to find all of the vulnerabilities that ZAP can find, assuming ZAP has a good "understanding" of your project.
For more on that see this video: https://www.youtube.com/watch?v=1_flXEBzEsE

To find "all potential security issues" you really need manual testing by someone who knows what they are doing - they may well still use ZAP but they would use the manual features rather than just the automated ones.

Regarding your redirect - I suggest triggering this redirect manually and looking at the requests and responses in the History tab.
Its possible that the redirect is actually over https due to some other configuration in your project, so thats the first thing I would look at.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages