CIT 383 University of Oregon Owasp Zap Application Project

For lab this week, we’re going to download and use the

OWASPLinks to an external site.

Zed Attack ProxyLinks to an external site.

(ZAP) to test for security vulnerabilities in a Node application. Before using ZAP, we’re going to validate the application’s checksum value. You are encouraged to also read some of the background articles.

The ZAP application is a Java application. As part of the installation, an appropriate version of the Java Runtime Environment (JRE) will be installed. Having the JRE installed will not hurt your computer, but you’re welcome to uninstall when you’re finished using ZAP.

Important: Initially my computer prevented me from accessing the ZAP website at www.zaproxy.org,Links to an external site. preventing me from downloading the tool. After enabling my VPN, I was able to access the website and download the tool. You are welcome to try to download the tools from the websites, or you can use one of the following links to download the appropriate install file, and the XML file, from the links below of copies stored on Canvas.

• ZAP 2.9.0 Windows 64-bit installerDownload ZAP 2.9.0 Windows 64-bit installer
• ZAP 2.9.0 Windows 32-bit installerDownload ZAP 2.9.0 Windows 32-bit installer
• ZAP 2.9.0 MacOS installerDownload ZAP 2.9.0 MacOS installer
• ZAP 2.9.0 XML versions fileDownload ZAP 2.9.0 XML versions file

Interesting Reads

• Refer to Wikipedia’s ChecksumLinks to an external site. article for a discussion about what is a checksum and how it’s calculated. You can also refer to easier to understand article, “What is a Checksum and How to Calculate a ChecksumLinks to an external site.” by OnlineTechTips.
• Refer to Wikipedia’s Hash functionLinks to an external site. article to learn more about hashes.
• Refer to Wikipedia’s Web crawlerLinks to an external site. article to learn more about website spiders.
• Refer to Wikipedia’s Cross-site scriptingLinks to an external site. article to learn more about XSS.
• Refer to About /robots.txtLinks to an external site. article by robotstxt.org learn more about robots.txt

Lab Data

For this lab, create a new file called cit383-lab04.pdf. You will update this file with information, including screen captures, throughout the lab. Look for items marked with >>>>>>>>> that indicate what data you should be recording to your lab file.

Part 1: Download ZAP

Navigate to the

ZAP download pageLinks to an external site.

, and download the version appropriate to your operating system. Do not run the installer until after you’ve validated the installer’s checksum value.

On the ZAP download page, scroll down to the section “Latest Versions” and find the link to the ZapVersions XML file. Click on the link to display an XML file with the latest checksum values. Find the hash that matches the version you downloaded, and save the hash value, and the type of hash.

Tip: You can also copy the XML content, and paste the content into an online XML viewer program. I’d recommend Code Beautify XML ViewerLinks to an external site.. To use, paste the content into the XML Input pane on the left, then click on the Tree View button in the middle to see the XML formatted into a hierarchical tree layout. Move down through the tree to find the ZAP version you installed, note the encryption method, and the hash value.

>> Document the version of the installer you will use to install ZAP.

Part 2: Calculate Checksum

You will need a program to calculate the checksum of a program. Normally, you would want to make sure such a program was from a trusted source to ensure you could trust the calculated checksums. We will use the

MD5 & SHA1 Hash GeneratorLinks to an external site.

by OnlineMD5. Navigate to the page, select the correct Checksum type that matches the hash type from the ZapVersions XML file, and drag the ZAP installer you used to install ZAP onto the web page, or alternatively use the Choose File button.

Compare the hash you computed with the hash in ZapVersions XML file and make sure they match.

>> Record the calculated hash value for your installer.

>> Record if the calculated hash value matches the value from the XML file. If the version does NOT match, you should not install ZAP.

Part 2.1: Calculating Checksum via Command Line

As an alternative to using an online program, you can run command line tools to compute the hash of any file depending on your operating system.

For example, if you have Windows open PowerShell and run the following command. This command will NOT work from the Windows Command window.

Get-FileHash \path\to\file -Algorithm sha256

If you have MacOS ,open Terminal and run the following command.

shasum -a 256 /path/to/file

Compare the hash you computed with the hash in ZapVersions XML file and make sure they match.

>> Run the appropriate version of calculating the hash. Use a screen capture to copy the PowerShell or Terminal window that displays the execution and the result.

Part 3: Install ZAP

The checksum (hash) values should match, so you’re ready to install ZAP. Carefully read the installation dialogs, and uncheck anything that has to do with sending usage statistics.

As mentioned above, the JRE will be installed as part of the installation.

Part 4: Download, setup and run test Node application

To test ZAP, you will download a sample Node application. You’ll use git to clone the Node application from Github. After cloning the repository, a new folder called zaptest will be created.

Open a Command window or Terminal, and issue the following git command to clone the Node application:

git clone https://github.com/pcolbert/zaptest.git

Once the clone is complete, change to the zaptest folder, and issue the following npm command to download the dependency packages:

npm install

Run the zaptest Node application by issuing the following Node command:

node index.js

Confirm the node application is running by using your browser and navigating to the following URL:

http://localhost:3400

>> Again perform a screen capture of starting the node application on your computer.

Note: If you already have an application listening on port 3400, edit index.js and change the port assignment. Also, if for some reason localhost doesn’t work, use 127.0.0.1 instead of localhost.

Part 5: Test Node application using ZAP

Warning: You should only use ZAP on your own applications, or web sites that you have been granted permission to attack!

Run the ZAP application, selecting to not save the session. In the Quick Start tab, click on the Automated Scan button, enter the Node application URL, and click on the Attack button.

When the attack is complete, examine the Alerts, Spider and Active Scan tabs at the bottom of ZAP.

In the Spider tab, note the two files that were attacked. Research what both of these files are used for on websites.

In the Alerts tab, select through the different alerts, and research the alert to see if you can identify what the alerts might mean. You can select each alert for details.

In the Active Scan tab, examine the different types of attacks. Use the Code and Reason columns to identify the attacks that failed, and the attacks that seemed to get a valid response.

While selecting different scans in the Active Scan tab, the top section includes two tabs: Request and Response. View both of these tabs separately as you switch between different active scans to see what was sent (Request) to the Node application, and what was sent back (Response) from the Node application.

Part 6: Update Node application to respond to a request for robots.txt

Stop the running zaptest Node application, and add the following code before the `start server` code:

app.get (‘/robots.txt’, (req, res) => { res.send (“User-agent: *\nDisallow: /secret”);});

Restart the Node application, and re-run the ZAP attack. You should now see that ZAP tried to find /secret!

>> Perform a screen capture of the Spider tab after re-running the ZAP attack after modifying the Node application.

>> Provide a sentence that describes what you think the ZAP attack did when adding the robots.txt file. As a hint, read up on the purpose of a robots.txt file, and note the content that was returned.

5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
Week 4 Lab
Overview
For lab this week, we’re going to download and use the OWASP
(https://www.owasp.org/index.php/Main_Page) Zed Attack Proxy
(https://owasp.org/www-project-
zap/) (ZAP) to test for security vulnerabilities in a Node application. Before using ZAP, we’re going to
validate the application’s checksum value. You are encouraged to also read some of the background
articles.
The ZAP application is a Java application. As part of the installation, an appropriate version of the
Java Runtime Environment (JRE) will be installed. Having the JRE installed will not hurt your
computer, but you’re welcome to uninstall when you’re finished using ZAP.
Important: Initially my computer prevented me from accessing the ZAP website at
www.zaproxy.org,
(http://www.zaproxy.org) preventing me from downloading the tool. After
enabling my VPN, I was able to access the website and download the tool. You are welcome to try to
download the tools from the websites, or you can use one of the following links to download the
appropriate install file, and the XML file, from the links below of copies stored on Canvas.
ZAP 2.9.0 Windows 64-bit installer
(https://canvas.uoregon.edu/courses/218258/files/15774441/download?wrap=1)
(https://canvas.uoregon.edu/courses/218258/files/15774441/download?download_frd=1)
ZAP 2.9.0 Windows 32-bit installer
(https://canvas.uoregon.edu/courses/218258/files/15774453/download?wrap=1)
(https://canvas.uoregon.edu/courses/218258/files/15774453/download?download_frd=1)
ZAP 2.9.0 MacOS installer (https://canvas.uoregon.edu/courses/218258/files/15774442/download?
wrap=1)
(https://canvas.uoregon.edu/courses/218258/files/15774442/download?download_frd=1)
ZAP 2.9.0 XML versions file
(https://canvas.uoregon.edu/courses/218258/files/15774408/download?wrap=1)
(https://canvas.uoregon.edu/courses/218258/files/15774408/download?download_frd=1)
Interesting Reads
Refer to Wikipedia’s Checksum
(https://en.wikipedia.org/wiki/Checksum) article for a
discussion about what is a checksum and how it’s calculated. You can also refer to easier to
understand article, “What is a Checksum and How to Calculate a Checksum
(https://www.online-tech-tips.com/cool-websites/what-is-checksum/) ” by OnlineTechTips.
Refer to Wikipedia’s Hash function
(https://en.wikipedia.org/wiki/Hash_function) article to learn
more about hashes.
Refer to Wikipedia’s Web crawler
more about website spiders.
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
(https://en.wikipedia.org/wiki/Web_crawler) article to learn
1/8
5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
Refer to Wikipedia’s Cross-site scripting
(https://en.wikipedia.org/wiki/Cross-site_scripting)
article to learn more about XSS.
Refer to About /robots.txt
(http://www.robotstxt.org/robotstxt.html) article by robotstxt.org
learn more about robots.txt
Lab Data
For this lab, create a new file called cit383-lab04.pdf. You will update this file with information,
including screen captures, throughout the lab. Look for items marked with >> that indicate what data
you should be recording to your lab file.
Part 1: Download ZAP
Navigate to the ZAP download page
(https://www.zaproxy.org/download/) , and download the
version appropriate to your operating system. Do not run the installer until after you’ve validated
the installer’s checksum value.
On the ZAP download page, scroll down to the section “Latest Versions” and find the link to the
ZapVersions XML file. Click on the link to display an XML file with the latest checksum values. Find
the hash that matches the version you downloaded, and save the hash value, and the type of hash.
Tip: You can also copy the XML content, and paste the content into an online XML viewer program.
I’d recommend Code Beautify XML Viewer
(https://codebeautify.org/xmlviewer) . To use, paste the
content into the XML Input pane on the left, then click on the Tree View button in the middle to see
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
2/8
5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
the XML formatted into a hierarchical tree layout. Move down through the tree to find the ZAP version
you installed, note the encryption method, and the hash value.
>> Document the version of the installer you will use to install ZAP.
Part 2: Calculate Checksum
You will need a program to calculate the checksum of a program. Normally, you would want to make
sure such a program was from a trusted source to ensure you could trust the calculated checksums.
We will use the MD5 & SHA1 Hash Generator
(http://onlinemd5.com/) by OnlineMD5. Navigate to
the page, select the correct Checksum type that matches the hash type from the ZapVersions XML
file, and drag the ZAP installer you used to install ZAP onto the web page, or alternatively use the
Choose File button.
Compare the hash you computed with the hash in ZapVersions XML file and make sure they match.
>> Record the calculated hash value for your installer.
>> Record if the calculated hash value matches the value from the XML file. If the version does
NOT match, you should not install ZAP.
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
3/8
5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
Part 2.1: Calculating Checksum via Command Line
As an alternative to using an online program, you can run command line tools to compute the hash of
any file depending on your operating system.
For example, if you have Windows open PowerShell and run the following command. This command
will NOT work from the Windows Command window.
Get-FileHash \path\to\file -Algorithm sha256
If you have MacOS ,open Terminal and run the following command.
shasum -a 256 /path/to/file
Compare the hash you computed with the hash in ZapVersions XML file and make sure they match.
>> Run the appropriate version of calculating the hash. Use a screen capture to copy the PowerShell
or Terminal window that displays the execution and the result.
Part 3: Install ZAP
The checksum (hash) values should match, so you’re ready to install ZAP. Carefully read the
installation dialogs, and uncheck anything that has to do with sending usage statistics.
As mentioned above, the JRE will be installed as part of the installation.
Part 4: Download, setup and run test Node application
To test ZAP, you will download a sample Node application. You’ll use git to clone the Node
application from Github. After cloning the repository, a new folder called zaptest will be created.
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
4/8
5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
Open a Command window or Terminal, and issue the following git command to clone the Node
application:
git clone https://github.com/pcolbert/zaptest.git
Once the clone is complete, change to the zaptest folder, and issue the following npm command to
download the dependency packages:
npm install
Run the zaptest Node application by issuing the following Node command:
node index.js
Confirm the node application is running by using your browser and navigating to the following URL:
http://localhost:3400
>> Again perform a screen capture of starting the node application on your computer.
Note: If you already have an application listening on port 3400, edit index.js and change the port
assignment. Also, if for some reason localhost doesn’t work, use 127.0.0.1 instead of localhost.
Part 5: Test Node application using ZAP
Warning: You should only use ZAP on your own applications, or web sites that you have been
granted permission to attack!
Run the ZAP application, selecting to not save the session. In the Quick Start tab, click on the
Automated Scan button, enter the Node application URL, and click on the Attack button.
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
5/8
5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
When the attack is complete, examine the Alerts, Spider and Active Scan tabs at the bottom of ZAP.
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
6/8
5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
In the Spider tab, note the two files that were attacked. Research what both of these files are used
for on websites.
In the Alerts tab, select through the different alerts, and research the alert to see if you can identify
what the alerts might mean. You can select each alert for details.
In the Active Scan tab, examine the different types of attacks. Use the Code and Reason columns to
identify the attacks that failed, and the attacks that seemed to get a valid response.
While selecting different scans in the Active Scan tab, the top section includes two tabs: Request and
Response. View both of these tabs separately as you switch between different active scans to see
what was sent (Request) to the Node application, and what was sent back (Response) from the
Node application.
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
7/8
5/15/23, 8:35 PM
Week 4 Lab: CIT 383 (Spring 2023; 32122) Networkng Fundamentals
Part 6: Update Node application to respond to a request for robots.txt
Stop the running zaptest Node application, and add the following code before the `start server` code:
app.get (‘/robots.txt’, (req, res) => {
res.send (“User-agent: *\nDisallow: /secret”);
});
Restart the Node application, and re-run the ZAP attack. You should now see that ZAP tried to find
/secret!
>> Perform a screen capture of the Spider tab after re-running the ZAP attack after modifying the
Node application.
>> Provide a sentence that describes what you think the ZAP attack did when adding the robots.txt
file. As a hint, read up on the purpose of a robots.txt file, and note the content that was returned.
Part 7: Explore
Feel free to read more about ZAP from the OWASP ZAP User Guide
(https://www.zaproxy.org/docs/desktop/) , or other online ZAP articles, such as Quick and Easy
Website Vulnerability Scans
(https://cyberarms.wordpress.com/2014/06/05/quick-and-easywebsite-vulnerability-scans-with-owasp-zap/) with OWASP-ZAP by Cyber Arms.
Deliverable
Save the lab file, cit383-lab04.pdf. This PDF file will be a deliverable with Project 5.
https://canvas.uoregon.edu/courses/218258/pages/week-4-lab
8/8