Introducing ZAP
ZAP: Zed Attack Proxy is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project(OWASP).
At its core, ZAP is what is know as a “man-in-the-middle proxy”. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as standalone application, and as a daemon process.
If there is another network proxy already in use, as in many corporate environments, ZAP can be configured to connect to that proxy.
Install and configure ZAP
Install ZAP
Download ZAP(zaproxy) from here.
Note that ZAP requires Java 8+ in order to run.
Persisting a session
Whe you first start ZAP, you will be asked if you want to persist the ZAP session. By default, ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.
If you choose to persist a session, the session information will be saved int the local database so you can access it later, and you will be able to provide custom names and locations for saving the files.
Generate Certificates
Tools–>Options–>Dynamic SSL Certificates–>Generate–>Save. And Use Firefox import ZAP’S SSL Certificates.
Local Proxies
Tools–>Options–>Local Proxies. You can change the local Proxy’s information such as Address,Port and so on.
Set ZAP proxy server
If there is another network proxy already in use, as in many corporate environments, ZAP can be configured to connect to that proxy. As following:
ZAP’s proxy server must be setted. As following:
Tools–>Options–>Connection–>Use Proxy Chain
- Use an outgoing proxy server
- Address/Domain Name:
localhost - Port(e.g. 8080):
1080–> OK
Reference:ZAP Quick Start Guide
: