One in Six Developers in Healthcare Report Open Source Breaches | Press Release

blog-logo Sonatype Blog

The OWASP ZAP HUD

May 26, 2020 By Omkar Hiremath

ZAP (Zed Attack Proxy) is an open-source web application scanner. It’s an OWASP flagship project that you can use to find vulnerabilities in a web application. Mozilla security expert Simon Bennetts gave a talk on ZAP’s HUD, which you can watch below.

Where Can You Use ZAP?

You can use ZAP on Windows, Linux, and Mac OS. You’ll have access to multiple docker images, and ZAP is suitable for beginners as well as security professionals who are working on vulnerability analysis.

You can run ZAP in desktop and daemon modes. You can also use it manually at any stage in development. It’s a great tool for automated testing.

A Quick Look at ZAP

Let me show you around the ZAP tool. ZAP gives you two options: automated testing and manual testing.

Automated Testing With ZAP

If you choose automated testing, you’ll see this window:

In this window, you’ll have to enter the IP address of the application that you want to scan and choose the spider. Spiders are programs that crawl through the application to collect whatever information they can.

Once you click the Attack button, ZAP will spider through the web application, exploring all the links it can find. It will not only scan for vulnerabilities but will also attack the web application. Make sure you use ZAP only on the web applications you have permission to use it on, or else it’ll be considered illegal.

Manual Testing With ZAP

When it comes to manual testing, you’ll have to provide the URL of the web application that you want to use ZAP on. But instead of using a spider, you’ll have to manually browse through the website. ZAP will do its job only on the web pages that you manually visit.

Analyzing Results

Once you run ZAP on the application, the History tab will show you a list of all the requests made to the browser.

If you want to see the details of the request, click the Request tab. You’ll see those details and the response under the Request and Response tabs.
To your left, you’ll see a site streak generated. This represents the way ZAP has understood your application. The site streak is really helpful when it comes to automated testing.

To find out what else you can do with the results, you can right-click on any result on the site streak.

What Is ZAP HUD?

As you can see above, using ZAP can get a little complicated for complex operations. In such cases, ZAP HUD (heads-up display) will ease things for you.

ZAP HUD lets you use the features of ZAP without having to switch to the ZAP window every time.

To use HUD, you can check the Enable HUD box while starting the session. Once you start the session, you’ll see a window pop up, which means the ZAP HUD has started.

Want to learn about the ZAP HUD features? Click the Take the HUD Tutorial button, and you’ll be redirected to a page with everything you need to know.

When you enable HUD, you’ll see a lot of options on the left and to the right of your screen. These options lists make it easy for you to use different features of ZAP while you’re using other applications or manually scanning your target.

ZAP HUD Features

To your left, you’ll see low, medium, and high levels of alerts. This makes it easy for you to look at the results because they’re just one click away. To your right, you’ll see options for site streak, spiders, and so on.

One useful feature that you may like is a button that scans for hidden fields on the page. It’ll show you the number of hidden fields, and when you click it, it’ll display those fields.

You can use HUD to intercept traffic, make changes to it, and pass it to the web application. It’s really useful for penetration testing and debugging.

If you don’t want to go around all the pages and try an exploit, you can use the attack mode. This option will automatically attack all the pages that you’ve added in scope.

How Does ZAP HUD Work?

Basically, ZAP stands in between your browser and the web server. HUD injects a JavaScript code in the application, which creates the frames and lets you use ZAP features.

At some point, you’ll wonder, “How does ZAP HUD do all this?” Well, good news! ZAP provides the source code publicly so you can learn how the magic happens.

All right, folks! That gives you some introductory information about ZAP HUD. I suggest you install ZAP HUD and explore more of its features.

Tags: vulnerabilities, OWASP, OWASP ZAP

Written by Omkar Hiremath

Omkar Hiremath uses his MCA in computer science to share theoretical and demo-based learning on various areas of technology, like ethical hacking, Python, blockchain, and Hadoop.