What is OWASP Zap
OWASP Zap is a security testing framework much like Burp Suite. It acts as a very robust enumeration tool. It’s used to test web applications. It’s completely open source and free. There is no premium version, no features are locked behind a paywall, and there is no proprietary code.
This software can run under Windows and Linux
Install: OWASP ZAP (zaproxy.org)
Configuring with Firefox
After installation open OWASP Zap
Tell ZAP to use 127.0.0.1 and use port 8080
In the same screen navigate to Dynamic SSL certificates
Press save.
Now we are going to import this certificate in Firefox. Open Firefox
Go to about:preferences
Click on View certificates
Click on import and import the certificat we just saved
Make sure you select to trust
let’s add an extension to our web browser to allow up to easily route or traffic through it. We use FoxyProxy Standard https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
Next, click on FoxyProxy among your extensions in the upper right corner
After that, click on ‘Options’.
click ‘Add’ in the top left to add Burpsuite as a proxy to FoxyProxy
Enter in the following settings and then click ‘Save’
- Proxy IP = 127.0.0.1
- Port = 8081
- Title = Zap
Now we need to make sure the traffic is going to ZAP. Click on the FoxyProxy extension icon again and select ‘ZAP’.
If you using Burpsuite also then make sure the port is different then the one used in burp. If you follow this guide then you should not have that problem as burp is standard on 8080
If you navigate to http://127.0.0.1:8081/ you should see the OWASP welcome page
You can run this next to Burpsuite. Just follow this guide Configure Burpsuite with Firefox
