Now import the certificate in the browser.Ĭonfiguring proxy in OWASP – Go to tools ->Options->Local proxy and we can configure the port there for which we are setting the proxy (i.e. From the top bar, go to Tools menu> Options>Dynamic SSL Certificate and click on generate and save the certificate. To use the ZAP Proxy we will need to first install ZAP’s CA root certificate in our browser. To monitor security threats to our application we need to set OWASP as a proxy and will browse the application through OWASP proxy. How to configure ZAP Proxy to monitor security threats for our application Step 1: Installing ZAPĭownload and install ZAP 2.7.0 standard from Step 2: Setting up a proxy on ZAP and Browser We can configure it to find security vulnerabilities in web applications in the developing phase. Once the zapreport.html file has been copied to the Apache Web Root directory, the student may view the report with the following URL Address: EC2 Public IP Address]/zapreport.OWASP ZAP ( Zed Attack Proxy) is an open source web application security scanner. Use the Student’s Browser To View the OWASP ZAP Report * Note: sudo is required because of the restrictive write permissions on the Apache Webroot directory. Once the OWASP ZAP scan has completed, the student can use the following command to copy the report to the apache Web Root directory. Copy the ‘zapreport.html’ Report to the Apache Web Server Directory * Note: Please use the Private IP address of the WebGoat server to avoid running the PenTest across Amazon’s external network segments. Run that script with the following command: $ sudo sh run-zap.sh The student will see a run-zap.sh shell script in the /home/cloud_user directory. Once logged in, proceed to the next task. Use SSH or Terminal to access the ZAP EC2 Instance as cloud_userĪfter registering the clouduser username in the WebGoat application, the student should use the terminal emulator of their choice to access the OWASP ZAP EC2 Instance as cloud_user. Once the username has been setup, the student should go to the next task. The following username and password should be used. The student should choose to register the user. *Note: The application is listening on port 8080 not 80 Register the clouduser username to the WebGoat instance The student should run their browser (Chrome is recommended) and then navigate to the address of the WebGoat instance. Successfully complete this lab by achieving the following learning objectives: Use the student’s browser to run the WebGoat application and Register the clouduser username > Work is underway to bake in some vulnerabilities so that students always have something to research and try to fix*. > I recommend that you still complete the lab and the follow up activities as shown, but not be concerned or disappointed if you do produce the same vulnerabilities as shown in the video. At times there may even be no vulnerabilities found. Due to recent system changes & version updates this lab will no longer show the same vulnerabilities as depicted in the Lab video. If the goat web site does not come up right away, please give the lab a few minutes to finish setting up. > *NOTE: This lab takes some extra time to provision. Then the student is able to interogate the results and consider various resources for determining appropriate remediation. The student is guided through the process of running ZAP from their Linux command line to execute the test. The second is to host the WebGoat application. The first is to host the ZAP application. The application staged for scanning is the WebGoat web application. In this lab the student is able to use the OWASP ZAP (Zed Attack Proxy) to do a pentest (penetration test) on a sample application.
0 Comments
Leave a Reply. |