Continuing from my last post Penetration Testing Your Web App with Azure Application Gateway WAF Part 1: Intro, I will demonstrate a very simple penetration test. Thanks to Tanya Janca (@shehackspurple), an OWASP specialist, who suggested I try out the OWASP ZAP tool.

“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pen testers to use for manual security testing.”

Some of ZAP’s functionality:

• Man-in-the-middle Proxy
• Traditional and AJAX spiders
• Automated scanner
• Passive scanner
• Forced browsing
• Fuzzer
• Dynamic SSL certificates
• Smartcard and Client Digital Certificates support
• Web sockets support
• Support for a wide range of scripting languages
• Plug-n-Hack support
• Authentication and session support
• Powerful REST based API
• Automatic updating option
• Integrated and growing marketplace of add-ons

Just to you let you know, I’m not trained in OWASP related app security, but at least want to show some basic tooling against this WAF.

To start this simple penetration test, open the OWASP ZAP tool, go to the Quick start tab

For URL to attack, enter the URL of your web app which is fronted with the Azure App Gateway and WAF.

Click Attack button

In the bottom pane, see the attack scan taking place

When it finishes, in the Alerts, we can see a list of recommendations.

For more advanced use of this tool, check out these tutorials

Next, we will go through how to use Azure Log Analytics to query the web application firewall logs as a result of the ZAP tool’s attack scans in the article Penetration Testing Your Web App with Azure Application Gateway WAF Part 3: Log Analytics