Penetration Testing Your Web App with Azure Application Gateway WAF Part 2: OWASP ZAP Tool

Continuing from my last post Penetration Testing Your Web App with Azure Application Gateway WAF Part 1: Intro, I will demonstrate a very simple penetration test. Thanks to Tanya Janca (@shehackspurple), an OWASP specialist, who suggested I try out the OWASP ZAP tool.

“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pen testers to use for manual security testing.”

Some of ZAP’s functionality:

  • Man-in-the-middle Proxy
  • Traditional and AJAX spiders
  • Automated scanner
  • Passive scanner
  • Forced browsing
  • Fuzzer
  • Dynamic SSL certificates
  • Smartcard and Client Digital Certificates support
  • Web sockets support
  • Support for a wide range of scripting languages
  • Plug-n-Hack support
  • Authentication and session support
  • Powerful REST based API
  • Automatic updating option
  • Integrated and growing marketplace of add-ons

Just to you let you know, I’m not trained in OWASP related app security, but at least want to show some basic tooling against this WAF.

To start this simple penetration test, open the OWASP ZAP tool, go to the Quick start tab
PenTestWAF5

For URL to attack, enter the URL of your web app which is fronted with the Azure App Gateway and WAF.
PenTestWAF6
Click Attack button

In the bottom pane, see the attack scan taking place
PenTestWAF7

When it finishes, in the Alerts, we can see a list of recommendations.
PenTestWAF8

For more advanced use of this tool, check out these tutorials

 

 

Next, we will go through how to use Azure Log Analytics to query the web application firewall logs as a result of the ZAP tool’s attack scans in the article Penetration Testing Your Web App with Azure Application Gateway WAF Part 3: Log Analytics

 

4 thoughts on “Penetration Testing Your Web App with Azure Application Gateway WAF Part 2: OWASP ZAP Tool

  1. Pingback: Penetration Testing Your Web App with Azure Application Gateway WAF Part 3: Log Analytics – Roy Kim on Azure, Office 365 and SharePoint

    1. Definitely. OWASP Zap tool is a penetration test tool for web applications. WAF configuration is just another layer of security to detect or block request that are identified by the selected OWASP rule sets. You should always design and implement your web app against cyber attacks such as sql injection and xss and test with the OWASP tool. And then you can test with WAF in front of it for added layer of security and/or monitoring.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s