Welcome to HackeRoyale.

How To Find Vulnerabilities In Websites Using OWASP ZAP ?! : Step-By-Step Guide


Hello Viewers, As I already mentioned some of the Vulnerability scanners earlier , now I am back with another Scanner or tool i.e OWASP ZAP whose fundamental objective is to permit simple infiltration testing to discover vulnerabilities in web applications. It is perfect for designers and useful analyzers and in addition security specialists. We should look at how ZAP entrance testing functions.


OWASP is the Open Web Application Security Project, a seller unbiased, non-benefit gathering of volunteers devoted to making web applications more secure.

In that capacity, they distribute their OWASP Top 10 to exhibit the most basic vulnerabilities, and have planned WebGoat, a purposely powerless web application for educating and testing web application security.

As a feature of this exertion, they have likewise built up the OWASP Zed Attack Proxy (ZAP) instrument.

It is one of the world’s most well known free security instruments and is effectively kept up by many universal volunteers.

It can help you naturally discover security vulnerabilities in your web applications while you are creating and testing your applications.

Its likewise an extraordinary apparatus for experienced pentesters to use for manual security testing.

OWASP ZAP is a Java-based instrument for testing web application security.

It has a natural GUI and effective components to do such things as fluffing, scripting, spidering, proxying and assaulting web applications.

It is likewise extensible through various modules. Along these lines, it is an across the board web application testing device. OWASP ZAP may even turn into your go-to web application testing instrument once you get the hang of it.

How Actually It Works?

Start Kali Linux 

  • Presently I will be utilizing Kali 2.0 as so a hefty portion of you are currently utilizing it
  • Prior variants of Kali likewise have OWASP ZAP, so in the event that you are utilizing those, you can likewise take after this instructional exercise.


  • In the event that you need to begin OWASP ZAP from the order line, you can basically sort:

kali > owasp-zap

  • This should begin the application as observed beneath.

  • For the individuals who favor the GUI approach, go to Applications – > Web Application Analysis – > owasp-destroy.

  • The primary thing you will see is the permit. Simply ahead and acknowledge the terms in the event that you feel great with them. This is a standard Apache permit
  • At the point when OWASP ZAP in the long run opens, it should resemble the screenshot underneath.
  • This instrument has numerous capable components, however at first, we will just experiment with its “Assault” work in the extensive right-hand window.
  • In this mode, OWASP ZAP forcefully goes to the site we assign and starts to search for vulnerabilities.

Attacking a Website

  • we should test a site at first left powerless and safe to test,  webscantest.com [Needs New Link].
  • Put the URL in the space beside “URL to assault” and after that essentially tap on the “Assault” catch underneath it.

Attack Results & Alerts

  • When it has finished its work , you should see a screen like that underneath.

As should be obvious in the lower left window, there are eight alarms. These cautions are arranged by the sort of defenselessness. These are:

  • Cross Site Scripting
  • Remote OS Command Injection
  • Catalog Browsing
  • X-Frame-Options Header Not Set
  • Treat set without HttpOnly hail
  • Secret key Autocomplete in program
  • Web Browser XSS Protection Not Enabled
  • X-Content-Type-Options Header Missing

By every class of alarm is a number that speaks to the quantity of events of that sort of weakness.

On the off chance that you tap on the bolt alongside the ready, it will grow to demonstrate to you every event of the weakness.

In the screenshot above, I initially tapped on the ready “Cross Site Scripting” and it opened a window with data on it to the privilege mirroring the application’s evaluation of the hazard (High) and certainty (Medium).

At that point, I extended the alarm to demonstrate each of the XSS vulnerabilities in this web application.

The following stage, obviously, is to test each of the detailed vulnerabilities to see whether they are genuine.

Install the Proxy into the firewall

  • We can introduce the “Attachment n-Hack” expansion in Firefox 24 or later programs .
  • From the Quick Start menu, you can see the “Fitting n-Hack” catch. Just tap on it to introduce the expansion into your program.

  • Iceweasel will open with the accompanying screen. Simply ahead and select “Snap to setup!”

  • We will get a notice like that beneath, simply ahead and click Allow.

  • At long last, simply ahead and introduce the extra to your program.

  • Presently, you can simply utilize your program and whatever site you are going by will be naturally accessible to the OWASP ZAP application.

So, That’s all about the Introduction and Working of OWASP ZAP .

I Hope this article helps you. Check out the Absolute article on Hacking Tools Here

Thank you for reading this Article

Happy Hacking.


featured posts


Get weekly updates by subscribing to our newsletter.