OWASP ZAP (Zed Attack Proxy) Lab

1.5 hours
  • 6 Learning Objectives

About this Hands-on Lab

In this lab the student is able to use the OWASP ZAP (Zed Attack Proxy) to do a pentest (penetration test) on a sample application. The application staged for scanning is the WebGoat web application. Two AWS EC2 instances are created. The first is to host the ZAP application. The second is to host the WebGoat application. The student is guided through the process of running ZAP from their Linux command line to execute the test. Then the student is able to interogate the results and consider various resources for determining appropriate remediation.
> *NOTE:   This lab takes some extra time to provision. If the goat web site does not come up right away, please give the lab a few minutes to finish setting up. Due to recent system changes & version updates this lab will no longer show the same vulnerabilities as depicted in the Lab video.  At times there may even be no vulnerabilities found.  
> I recommend that you still complete the lab and the follow up activities as shown, but not be concerned or disappointed if you do produce the same vulnerabilities as shown in the video.
> Work is underway to bake in some vulnerabilities so that students always have something to research and try to fix*.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Use the student’s browser to run the WebGoat application and Register the clouduser username

The student should run their browser (Chrome is recommended) and then navigate to the address of the WebGoat instance.

http://[EC2 Server Public-IP]:8080/WebGoat

*Note: The application is listening on port 8080 not 80

Register the clouduser username to the WebGoat instance

The student should choose to register the user. The following username and password should be used.

username: clouduser
password: password

Once the username has been setup, the student should go to the next task.

Use SSH or Terminal to access the ZAP EC2 Instance as cloud_user

After registering the clouduser username in the WebGoat application, the student should use the terminal emulator of their choice to access the OWASP ZAP EC2 Instance as cloud_user.

$ ssh cloud_user@[PUBLIC IP ADDRESS (of the ZAP server)]

Once logged in, proceed to the next task.

Run The OWASP Zap PenTest

The student will see a run-zap.sh shell script in the /home/cloud_user directory.

Run that script with the following command:

$ sudo sh run-zap.sh [PRIVATE IP ADDRESS (of the EC2 Instance running WebGoat]

*Note: Please use the Private IP address of the WebGoat server to avoid running the PenTest across Amazon’s external network segments.

Copy the ‘zapreport.html’ Report to the Apache Web Server Directory

Once the OWASP ZAP scan has completed, the student can use the following command to copy the report to the apache Web Root directory.

$ sudo cp zapreport.html /var/www/html

*Note: sudo is required because of the restrictive write permissions on the Apache Webroot directory.

Use the Student’s Browser To View the OWASP ZAP Report

Once the zapreport.html file has been copied to the Apache Web Root directory, the student may view the report with the following URL Address:

http://[ZAP EC2 Public IP Address]/zapreport.html

Additional Resources

This lab will spin up two EC2 servers. One hosting the OWASP ZAP program, and the other running the WebGoat web application. The video has a play-by-play walk through of the lab, and the Lab's Activity guide explains the steps to run the lab.

Note: The deep dive metioned in the lab is not currently available.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?