In this lab the student is able to use the OWASP ZAP (Zed Attack Proxy) to do a pentest (penetration test) on a sample application. The application staged for scanning is the WebGoat web application. Two AWS EC2 instances are created. The first is to host the ZAP application. The second is to host the WebGoat application. The student is guided through the process of running ZAP from their Linux command line to execute the test. Then the student is able to interogate the results and consider various resources for determining appropriate remediation.
> *NOTE: This lab takes some extra time to provision. If the goat web site does not come up right away, please give the lab a few minutes to finish setting up. Due to recent system changes & version updates this lab will no longer show the same vulnerabilities as depicted in the Lab video. At times there may even be no vulnerabilities found.
> I recommend that you still complete the lab and the follow up activities as shown, but not be concerned or disappointed if you do produce the same vulnerabilities as shown in the video.
> Work is underway to bake in some vulnerabilities so that students always have something to research and try to fix*.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Use the student’s browser to run the WebGoat application and Register the clouduser username
The student should run their browser (Chrome is recommended) and then navigate to the address of the WebGoat instance.
http://[EC2 Server Public-IP]:8080/WebGoat*Note: The application is listening on port 8080 not 80
- Register the clouduser username to the WebGoat instance
The student should choose to register the user. The following username and password should be used.
username: clouduser password: passwordOnce the username has been setup, the student should go to the next task.
- Use SSH or Terminal to access the ZAP EC2 Instance as cloud_user
After registering the clouduser username in the WebGoat application, the student should use the terminal emulator of their choice to access the OWASP ZAP EC2 Instance as cloud_user.
$ ssh cloud_user@[PUBLIC IP ADDRESS (of the ZAP server)]Once logged in, proceed to the next task.
- Run The OWASP Zap PenTest
The student will see a run-zap.sh shell script in the /home/cloud_user directory.
Run that script with the following command:
$ sudo sh run-zap.sh [PRIVATE IP ADDRESS (of the EC2 Instance running WebGoat]*Note: Please use the Private IP address of the WebGoat server to avoid running the PenTest across Amazon’s external network segments.
- Copy the ‘zapreport.html’ Report to the Apache Web Server Directory
Once the OWASP ZAP scan has completed, the student can use the following command to copy the report to the apache Web Root directory.
$ sudo cp zapreport.html /var/www/html*Note: sudo is required because of the restrictive write permissions on the Apache Webroot directory.
- Use the Student’s Browser To View the OWASP ZAP Report
Once the zapreport.html file has been copied to the Apache Web Root directory, the student may view the report with the following URL Address:
http://[ZAP EC2 Public IP Address]/zapreport.html
