Experiment No 5

Name:- Patil Bhumi Sanjay

Class:- B.E. (A)

Subject:- Cyber Security Lab

Roll No:- 75

Aim: Study of Web Application Analysis Tools in Kali Linux.

Web Application Proxies: Burpsuite

Burpsuite can be used as a sniffing tool between your browser and the web servers to find the parameters that the web application uses.

To open Burpsuite, go to Applications → Web Application Analysis → burpsuite.

To make the setup of sniffing, configure burpsuite to behave as a proxy. Go to Proxy → Options; Check the box under Running for interface 127.0.0.1.

In this case, the proxy IP will be 127.0.0.1 with port 8080. Then configure the browser proxy which is the IP of burpsuite machine and the port.

To start interception, in Burpsuite go to Proxy → Intercept → click “Intercept is on”.

Continue to navigate on the webpage that you want to find the parameter to test for vulnerabilities.

In Burpsuite, Go to “HTTP History”. The line marked in red arrow shows the last request. In Raw and the hidden parameter such as the Session ID and other parameter such as user name and password has been underlined in red.

Once you have confirmed that the proxy listener is up and running, you need to configure your browser to use it as its HTTP proxy server. To do this, you change your browser's proxy settings to use the proxy host address (by default, 127.0.0.1) and port (by default, 8080) for both HTTP and HTTPS protocols, with no exceptions. This ensures that all HTTP and HTTPS traffic will pass through Burp.

ZapProxy

ZAP-OWASP Zed Attack Proxy is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. It is a Java interface.

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.

If there is another network proxy already in use, as in many corporate environments, ZAP can be configured to connect to that proxy.

ZAP provides functionality for a range of skill levels – from developers, to testers new to security testing, to security testing specialists. ZAP has versions for each major OS and Docker, so you are not tied to a single OS. Additional functionality is freely available from a variety of add-ons in the ZAP Marketplace, accessible from within the ZAP client.

Because ZAP is open-source, the source code can be examined to see exactly how the functionality is implemented. Anyone can volunteer to work on ZAP, fix bugs, add features, create pull requests to pull fixes into the project, and author add-ons to support specialized situations.

As with most open source projects, donations are welcome to help with costs for the projects. You can find a donate button on the owasp.org page for ZAP at https://owasp.org/www-project-zap/.

Step 1 − To open ZapProxy, go to Applications → 03-Web Application Analysis → ZAP.

Step 2 − Click “Accept”.

ZAP will start to load.

Step 3 − Choose one of the Options and click “Start”.

Preferably select “No, I do not want to persist this session at this moment in time”

Step 4− Enter URL of the testing web at “URL to attack” → click “Attack”.

After the scan is completed, on the top left panel you will see all the crawled sites.

In the left panel “Alerts”, you will see all the findings along with the description.

Step 5 − Click “Spider” and you will see all the links scanned.

Install ZAP

The first thing to do is install ZAP on the system you intend to perform pentesting on. Download the appropriate installer from the Download page.

Note that ZAP requires Java 8+ in order to run. The Mac OS/X installer includes an appropriate version of Java but you must install Java 8+ separately for Windows, Linux, and Cross-Platform versions. The Docker versions do not require you to install Java.

Once the installation is complete, launch ZAP and read the license terms. Click Agree if you accept the terms, and ZAP will finish installing, then ZAP will automatically start.

References:

1. https://portswigger.net/burp/documentation/desktop/getting-started/proxysetup/browser

2. https://portswigger.net/burp/documentation/desktop/penetration-testing

3. https://www.tutorialspoint.com/kali_linux/index.html

4. https://www.zaproxy.org/getting-started/

sites.google.com/view/patilbhumisanjay-home/cyber-security-lab/experiment-no-5