Continuing from my last post Penetration Testing Your Web App with Azure Application Gateway WAF Part 1: Intro, I will demonstrate a very simple penetration test. Thanks to Tanya Janca (@shehackspurple), an OWASP specialist, who suggested I try out the OWASP ZAP tool.
“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pen testers to use for manual security testing.”
- Man-in-the-middle Proxy
- Traditional and AJAX spiders
- Automated scanner
- Passive scanner
- Forced browsing
- Dynamic SSL certificates
- Smartcard and Client Digital Certificates support
- Web sockets support
- Support for a wide range of scripting languages
- Plug-n-Hack support
- Authentication and session support
- Powerful REST based API
- Automatic updating option
- Integrated and growing marketplace of add-ons
Just to you let you know, I’m not trained in OWASP related app security, but at least want to show some basic tooling against this WAF.
To start this simple penetration test, open the OWASP ZAP tool, go to the Quick start tab
For URL to attack, enter the URL of your web app which is fronted with the Azure App Gateway and WAF.
Click Attack button
In the bottom pane, see the attack scan taking place
When it finishes, in the Alerts, we can see a list of recommendations.
For more advanced use of this tool, check out these tutorials
Next, we will go through how to use Azure Log Analytics to query the web application firewall logs as a result of the ZAP tool’s attack scans in the article Penetration Testing Your Web App with Azure Application Gateway WAF Part 3: Log Analytics
4 thoughts on “Penetration Testing Your Web App with Azure Application Gateway WAF Part 2: OWASP ZAP Tool”
Pingback: Penetration Testing Your Web App with Azure Application Gateway WAF Part 3: Log Analytics – Roy Kim on Azure, Office 365 and SharePoint
Will OWASP ZAP work without the WAF configuration?
Definitely. OWASP Zap tool is a penetration test tool for web applications. WAF configuration is just another layer of security to detect or block request that are identified by the selected OWASP rule sets. You should always design and implement your web app against cyber attacks such as sql injection and xss and test with the OWASP tool. And then you can test with WAF in front of it for added layer of security and/or monitoring.
Thank You!! 🙂