Owasp Zap Application Project

For lab this week, we’re going to download and use the OWASPLinks to an external site.Zed Attack ProxyLinks to an external site. (ZAP) to test for security vulnerabilities in a Node application. Before using ZAP, we’re going to validate the application’s checksum value. You are encouraged to also read some of the background articles.The ZAP application is a Java application. As part of the installation, an appropriate version of the Java Runtime Environment (JRE) will be installed. Having the JRE installed will not hurt your computer, but you’re welcome to uninstall when you’re finished using ZAP.Important: Initially my computer prevented me from accessing the ZAP website at www.zaproxy.org,Links to an external site. preventing me from downloading the tool. After enabling my VPN, I was able to access the website and download the tool. You are welcome to try to download the tools from the websites, or you can use one of the following links to download the appropriate install file, and the XML file, from the links below of copies stored on Canvas.Interesting ReadsLab DataFor this lab, create a new file called cit383-lab04.pdf. You will update this file with information, including screen captures, throughout the lab. Look for items marked with >> that indicate what data you should be recording to your lab file.Part 1: Download ZAPNavigate to the ZAP download pageLinks to an external site., and download the version appropriate to your operating system. Do not run the installer until after you’ve validated the installer’s checksum value.On the ZAP download page, scroll down to the section “Latest Versions” and find the link to the ZapVersions XML file. Click on the link to display an XML file with the latest checksum values. Find the hash that matches the version you downloaded, and save the hash value, and the type of hash.Tip: You can also copy the XML content, and paste the content into an online XML viewer program. I’d recommend Code Beautify XML ViewerLinks to an external site.. To use, paste the content into the XML Input pane on the left, then click on the Tree View button in the middle to see the XML formatted into a hierarchical tree layout. Move down through the tree to find the ZAP version you installed, note the encryption method, and the hash value.>> Document the version of the installer you will use to install ZAP.Part 2: Calculate ChecksumYou will need a program to calculate the checksum of a program. Normally, you would want to make sure such a program was from a trusted source to ensure you could trust the calculated checksums. We will use the MD5 & SHA1 Hash GeneratorLinks to an external site. by OnlineMD5. Navigate to the page, select the correct Checksum type that matches the hash type from the ZapVersions XML file, and drag the ZAP installer you used to install ZAP onto the web page, or alternatively use the Choose File button.Compare the hash you computed with the hash in ZapVersions XML file and make sure they match.>> Record the calculated hash value for your installer.>> Record if the calculated hash value matches the value from the XML file. If the version does NOT match, you should not install ZAP.Part 2.1: Calculating Checksum via Command LineAs an alternative to using an online program, you can run command line tools to compute the hash of any file depending on your operating system.For example, if you have Windows open PowerShell and run the following command. This command will NOT work from the Windows Command window. Get-FileHash \path\to\file -Algorithm sha256If you have MacOS ,open Terminal and run the following command. shasum -a 256 /path/to/fileCompare the hash you computed with the hash in ZapVersions XML file and make sure they match.>> Run the appropriate version of calculating the hash. Use a screen capture to copy the PowerShell or Terminal window that displays the execution and the result.Part 3: Install ZAPThe checksum (hash) values should match, so you’re ready to install ZAP. Carefully read the installation dialogs, and uncheck anything that has to do with sending usage statistics.As mentioned above, the JRE will be installed as part of the installation.Part 4: Download, setup and run test Node applicationTo test ZAP, you will download a sample Node application. You’ll use git to clone the Node application from Github. After cloning the repository, a new folder called zaptest will be created.Open a Command window or Terminal, and issue the following git command to clone the Node application:Once the clone is complete, change to the zaptest folder, and issue the following npm command to download the dependency packages:Run the zaptest Node application by issuing the following Node command:Confirm the node application is running by using your browser and navigating to the following URL:>> Again perform a screen capture of starting the node application on your computer.Note: If you already have an application listening on port 3400, edit index.js and change the port assignment. Also, if for some reason localhost doesn’t work, use 127.0.0.1 instead of localhost.Part 5: Test Node application using ZAPWarning: You should only use ZAP on your own applications, or web sites that you have been granted permission to attack!Run the ZAP application, selecting to not save the session. In the Quick Start tab, click on the Automated Scan button, enter the Node application URL, and click on the Attack button.When the attack is complete, examine the Alerts, Spider and Active Scan tabs at the bottom of ZAP.In the Spider tab, note the two files that were attacked. Research what both of these files are used for on websites.In the Alerts tab, select through the different alerts, and research the alert to see if you can identify what the alerts might mean. You can select each alert for details.In the Active Scan tab, examine the different types of attacks. Use the Code and Reason columns to identify the attacks that failed, and the attacks that seemed to get a valid response.While selecting different scans in the Active Scan tab, the top section includes two tabs: Request and Response. View both of these tabs separately as you switch between different active scans to see what was sent (Request) to the Node application, and what was sent back (Response) from the Node application.Part 6: Update Node application to respond to a request for robots.txtStop the running zaptest Node application, and add the following code before the start server code:Restart the Node application, and re-run the ZAP attack. You should now see that ZAP tried to find /secret!>> Perform a screen capture of the Spider tab after re-running the ZAP attack after modifying the Node application.>> Provide a sentence that describes what you think the ZAP attack did when adding the robots.txt file. As a hint, read up on the purpose of a robots.txt file, and note the content that was returned.