Lab
A Cloud Guru

OWASP ZAP (Zed Attack Proxy) Lab

In this lab the student is able to use the OWASP ZAP (Zed Attack Proxy) to do a pentest (penetration test) on a sample application. The application staged for scanning is the WebGoat web application. Two AWS EC2 instances are created. The first is to host the ZAP application. The second is to host the WebGoat application. The student is guided through the process of running ZAP from their Linux command line to execute the test. Then the student is able to interogate the results and consider various resources for determining appropriate remediation. > *NOTE: This lab takes some extra time to provision. If the goat web site does not come up right away, please give the lab a few minutes to finish setting up. Due to recent system changes & version updates this lab will no longer show the same vulnerabilities as depicted in the Lab video. At times there may even be no vulnerabilities found. > I recommend that you still complete the lab and the follow up activities as shown, but not be concerned or disappointed if you do produce the same vulnerabilities as shown in the video. > Work is underway to bake in some vulnerabilities so that students always have something to research and try to fix*.

Try for free Contact sales

Path Info

Level

Beginner

Duration

1h 30m

Published

Nov 14, 2018

Challenge

Use the student's browser to run the WebGoat application and Register the clouduser username
The student should run their browser (Chrome is recommended) and then navigate to the address of the WebGoat instance.
```
http://[EC2 Server Public-IP]:8080/WebGoat
```
*Note: The application is listening on port 8080 not 80 
Challenge

Register the clouduser username to the WebGoat instance
The student should choose to register the user. The following username and password should be used.
```
username: clouduser
password: password
```
Once the username has been setup, the student should go to the next task.
Challenge

Use SSH or Terminal to access the ZAP EC2 Instance as cloud_user
After registering the clouduser username in the WebGoat application, the student should use the terminal emulator of their choice to access the OWASP ZAP EC2 Instance as cloud_user.
```
$ ssh cloud_user@[PUBLIC IP ADDRESS (of the ZAP server)]
```
Once logged in, proceed to the next task.
Challenge

Run The OWASP Zap PenTest
The student will see a run-zap.sh shell script in the /home/cloud_user directory.

Run that script with the following command:
```
$ sudo sh run-zap.sh [PRIVATE IP ADDRESS (of the EC2 Instance running WebGoat]
```
*Note: Please use the Private IP address of the WebGoat server to avoid running the PenTest across Amazon's external network segments.
Challenge

Copy the 'zapreport.html' Report to the Apache Web Server Directory
Once the OWASP ZAP scan has completed, the student can use the following command to copy the report to the apache Web Root directory.
```
$ sudo cp zapreport.html /var/www/html
```
*Note: sudo is required because of the restrictive write permissions on the Apache Webroot directory.
Challenge

Use the Student's Browser To View the OWASP ZAP Report
Once the zapreport.html file has been copied to the Apache Web Root directory, the student may view the report with the following URL Address:
```
http://[ZAP EC2 Public IP Address]/zapreport.html
```

Author

A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.