TryHackMe Introduction to OWASP ZAP Walkthrough

Edit subtitles

0:01 - 0:04

Hello and welcome back to RedBlue Labs.
0:04 - 0:05

Today's video is going to be a little bit
0:05 - 0:06

different than the ones I've done in the
0:06 - 0:08

past, where I'm actually going to be
0:08 - 0:11

doing a walkthrough on a TryHackMe
0:11 - 0:14

room. The room of choice for me today is
0:14 - 0:18

actually "Introduction to OWASP Zap," and I
0:18 - 0:20

chose this room because I personally
0:20 - 0:24

really enjoy ZAP. I like
0:24 - 0:27

the features that it has, and when I
0:27 - 0:30

had this paragraph here,
0:30 - 0:31

apparently the person who made this
0:31 - 0:33

room prefers it over Burp. And honestly,
0:33 - 0:35

it's a personal preference kind
0:35 - 0:38

of thing. Many, many people use Burp. Some
0:38 - 0:40

people use ZAP. I'm one of those people
0:40 - 0:43

that uses ZAP regularly.
0:43 - 0:46

Just a heads up, I do plan on editing
0:46 - 0:48

this video, so it's going to be
0:48 - 0:51

fairly fluid as I walk through
0:51 - 0:54

things. So there you go. Now you know.
0:54 - 0:56

If you're not familiar with
0:56 - 1:01

what ZAP is, it's a proxy where you have
1:01 - 1:04

your browser pointing to a proxy server
1:04 - 1:06

that's running locally, so maybe on your
1:06 - 1:09

Kali machine, and then you will
1:09 - 1:11

go onto the website. So, you're sending
1:11 - 1:13

traffic through the proxy over the
1:13 - 1:16

website, and the website is going to
1:16 - 1:17

go through the proxy back to you. So,
1:17 - 1:19

you've got like a person in the middle
1:19 - 1:22

that's handling that traffic, and then
1:22 - 1:24

while that traffic's being handled, you
1:24 - 1:26

can actually manipulate the data.
1:26 - 1:29

So, let's go ahead and start our room. Oh, I
1:29 - 1:31

got to join the room. And start that
1:31 - 1:33

machine.
1:35 - 1:36

And we're going to start off with the
1:36 - 1:40

first one. So, ZAP stands for
1:40 - 1:43

Zed Attack Proxy.
1:43 - 1:45

Woo.
1:45 - 1:47

Day 148.
1:47 - 1:50

So let's see if I can do that right now.
1:50 - 1:52

Still waiting 18 seconds.
1:52 - 1:54

Task 1 is done.
1:54 - 1:56

Go to task 2.
1:56 - 1:58

ZAP is a great tool that's totally slept
1:58 - 2:01

on. You know, that is
2:01 - 2:02

totally true.
2:02 - 2:05

Go ahead and give this section a read.
2:05 - 2:09

I've read the task.
2:12 - 2:14

Installation.
2:14 - 2:17

Okay, so I've actually already gone ahead
2:17 - 2:19

and done that.
2:19 - 2:21

There's a couple of ways you can
2:21 - 2:24

do it. They've got the the tool right
2:24 - 2:25

here. So,
2:25 - 2:26

pretty straightforward. Just go to the
2:26 - 2:29

website, and connect it into your Kali,
2:29 - 2:31

and go ahead and just download it. I
2:31 - 2:33

already have it installed, so that's
2:33 - 2:34

easy to
2:34 - 2:36

complete,
2:36 - 2:39

and then open it up.
2:39 - 2:42

Let's go over my machine,
2:44 - 2:46

and I'm going to
2:46 - 2:48

open it up.
2:51 - 2:53

Hit the Windows button or the Command
2:53 - 2:56

button, ZAP,
2:58 - 3:00

power it on.
3:04 - 3:07

Eventually, your ZAP will turn on, and you
3:07 - 3:09

are ready to proceed with the rest of
3:09 - 3:10

the room.
3:10 - 3:14

Let's go check out task 4,
3:15 - 3:17

and this task looks like we're doing
3:17 - 3:22

an automated scan. Let's go
3:22 - 3:23

ahead and run the command that it's
3:23 - 3:26

asking for.
3:29 - 3:33

Set up the Ajax spider. Looks like in
3:33 - 3:34

task 5, we are actually going to be doing
3:34 - 3:37

some manual scanning and we need to have
3:37 - 3:40

our browser pointing to our ZAP proxy.
3:40 - 3:42

So, there's a number of steps
3:42 - 3:44

to do this, and actually,
3:44 - 3:47

what will make this easier is in the
3:47 - 3:49

dropdown that you see right now, I
3:49 - 3:50

actually have a video that I've made
3:50 - 3:52

where
3:52 - 3:54

I actually go through this entire
3:54 - 3:58

process. So, I'm going to skip ahead, and if
3:58 - 3:59

you already have this set up, then that's
3:59 - 4:01

great. Or, if you want to watch that video
4:01 - 4:05

that I've made, go ahead and do that.
4:05 - 4:09

What IP do we use for the proxy? Well, we
4:09 - 4:12

would be pointing it to ourselves. So,
4:12 - 4:17

that could be localhost or a bit--it's
4:18 - 4:23

this one right over here. Bingo bango.
4:23 - 4:25

With task 6, it looks like we are
4:25 - 4:27

scanning an authenticated web
4:27 - 4:29

application. So,
4:29 - 4:32

in THM here, they give us some
4:32 - 4:35

credentials that we need to use on the
4:35 - 4:37

machine that they've got for us. So, let's
4:37 - 4:41

go down and give the page here a read,
4:41 - 4:44

and we are going to
4:44 - 4:47

open up our browser on our Kali machine
4:47 - 4:48

here.
4:48 - 4:50

And here we go. We've got our
4:50 - 4:52

spot here
4:52 - 4:55

to authenticate.
4:55 - 4:56

They're going to put in the credentials
4:56 - 5:00

that TryHackMe has given me
5:00 - 5:03

and authenticate. Let's go back and take
5:03 - 5:05

a peek at the instructions here.
5:05 - 5:08

Looks like we have or on the page that
5:08 - 5:11

we need to be, and we need to go down to
5:11 - 5:14

DVWA security
5:14 - 5:16

as instructed.
5:16 - 5:19

And I just want to do a double check here,
5:19 - 5:22

navigate to that tab and set the
5:22 - 5:25

security level to low and then hit
5:25 - 5:26

submit.
5:26 - 5:29

And after that, we're going to pass our
5:29 - 5:32

authentication token into ZAP so that we
5:32 - 5:34

can use the tool to scan authenticated
5:34 - 5:36

pages. Great.
5:36 - 5:40

Let's do that.
5:42 - 5:44

Low
5:44 - 5:47

and submit.
5:47 - 5:50

Okay,
5:52 - 5:54

so we are going to open up the inspector
5:54 - 5:56

here.
6:08 - 6:10

Go to storage,
6:10 - 6:14

and I'm going to grab the session key
6:14 - 6:17

cookie here.
6:30 - 6:33

And in ZAP, open the HTTP Sessions tab with the new
6:33 - 6:36

tab button, which is that one there, and
6:36 - 6:38

set the authenticated session to
6:38 - 6:40

active. You might actually notice a
6:40 - 6:42

slight disconnect between what you're
6:42 - 6:44

seeing in the PHP session right now and
6:44 - 6:46

what you saw about ten seconds earlier.
6:46 - 6:49

They do look different. And the reason
6:49 - 6:50

for that is because I actually
6:50 - 6:53

rerecorded doing this particular task,
6:53 - 6:55

and I wanted to make it pretty
6:55 - 6:58

straightforward to see how we can see in
6:58 - 7:02

ZAP the exact same session compared
7:02 - 7:04

to the session that we can see in the
7:04 - 7:07

inspector of the browser. So, that's what
7:07 - 7:10

you're seeing on the screen right now.
7:13 - 7:15

Because we have an authenticated session
7:15 - 7:17

in our
7:17 - 7:20

ZAP here, we're able to actually do a
7:20 - 7:23

scan against our target and receive a
7:23 - 7:26

lot more information because we now,
7:26 - 7:30

at this point, have an authentication
7:30 - 7:33

on the target.
7:40 - 7:43

Alright, so that was task 6, and now
7:43 - 7:45

we're moving on to task 7, which is
7:45 - 7:47

brute-force directories. Let's open up
7:47 - 7:49

the challenge and take a look at what
7:49 - 7:51

are the requirements here.
7:51 - 7:53

And so, essentially, we can actually use
7:53 - 7:55

word lists
7:55 - 7:59

and ZAP to do some brute-forcing to
7:59 - 8:01

figure out what kind of directories,
8:01 - 8:04

some directory enumeration that are on
8:04 - 8:08

the web server. Let's go down. And when we
8:08 - 8:10

have our sites here, when we do a
8:10 - 8:13

right-click and we do a forced browse
8:13 - 8:16

site, we can actually do this, do
8:16 - 8:18

directory enumeration. I actually have
8:18 - 8:19

another video where I do the exact same
8:19 - 8:21

thing. So, you can see that in the dropdown
8:21 - 8:23

as well if you want to be able to
8:23 - 8:25

specifically watch that. But we're going
8:25 - 8:26

to do the exact same thing here, and it's
8:26 - 8:29

pretty straightforward. Let's go
8:29 - 8:30

ahead and
8:30 - 8:32

do a
8:32 - 8:38

forced browse on our target system here.
8:51 - 8:54

And then we just have to pick the
8:54 - 8:56

list that we want. So, I'll use
8:56 - 8:57

this one.
8:57 - 9:01

But really, word lists are all over the
9:01 - 9:02

place. You can use whatever word list
9:02 - 9:05

works best for you.
9:07 - 9:10

And hit play.
9:13 - 9:16

Task 6 or task 7 complete.
9:19 - 9:23

Okay, task 8. Let's check out
9:23 - 9:25

what we've got here for brute-force web
9:25 - 9:27

login.
9:27 - 9:30

So, just like with the brute-force
9:30 - 9:33

directories, we can actually use Hydra
9:33 - 9:35

for this as well. But what we're doing in
9:35 - 9:36

this room is demonstrating that we can
9:36 - 9:39

use ZAP to do some of the similar tasks
9:39 - 9:40

as well.
9:40 - 9:43

What we're going to be doing also is
9:43 - 9:46

fuzzing again. So, let's take a peek
9:46 - 9:47

at some of the instructions that they
9:47 - 9:51

give us here. So, we have a a login. So,
9:51 - 9:52

we're going to be demonstrating on the
9:52 - 9:55

brute-force part of things, and we're
9:55 - 9:59

going to be doing an attack and fuzz on
9:59 - 10:02

the spot, the moment in time when we are
10:02 - 10:05

actually inputting the credentials. So, in
10:05 - 10:06

here, they do
10:06 - 10:10

find a test 1, 2, 3, and
10:10 - 10:12

we'll do something similar to that.
10:12 - 10:15

I have my own technique or word that I
10:15 - 10:17

like to look for, and that's fine. You'll
10:17 - 10:18

have your own that you like
10:18 - 10:19

as well.
10:19 - 10:20

So, we're going to find the GET and we're
10:20 - 10:22

going to do a fuzz.
10:22 - 10:24

Alright, then. I actually did all this in
10:24 - 10:27

another video, so you'll see it in
10:27 - 10:28

this dropdown on the screen here.
10:28 - 10:31

Now, what's unique is that actually Kali
10:31 - 10:34

comes with its own--it comes with tons
10:34 - 10:36

of word lists, but it comes with a one
10:36 - 10:38

called FastTrack. I've actually never
10:38 - 10:41

used FastTrack. I use my own word lists,
10:41 - 10:44

and that's fine too. But for this
10:44 - 10:45

particular challenge, we will be using
10:45 - 10:50

the fasttrack.txt.
10:50 - 10:53

Alright, let's open up our ZAP machine
10:53 - 10:55

and
10:55 - 11:00

navigate to the HTTP for this. So, I'm
11:00 - 11:01

going to
11:01 - 11:04

open up my browser here.
11:15 - 11:17

And because my browser is pointing to my
11:17 - 11:21

proxy server, I'm going to see
11:21 - 11:24

the websites actually populate inside of
11:24 - 11:26

my sites here, and you can see them
11:26 - 11:29

popping up there right now.
11:29 - 11:32

And according to the instructions on TryHackMe,
11:32 - 11:35

we will need to go to brute-force.
11:37 - 11:39

And at this point, we're going to
11:39 - 11:41

actually input
11:41 - 11:43

some data that we're going to catch. So,
11:43 - 11:45

we can see it populating here, which is
11:45 - 11:47

great.
11:50 - 11:53

I'm going to actually expand this,
11:55 - 11:59

and we're going to send something to it.
11:59 - 12:01

RedBlue.
12:03 - 12:04

Password.
12:06 - 12:09

And then I'm going to hit enter.
12:15 - 12:17

So, it says incorrect,
12:17 - 12:19

and that is fine.
12:22 - 12:25

What I like to do, actually, is knowing
12:25 - 12:28

because I know that I put RedBlue in
12:28 - 12:32

there, I actually like to search on that
12:32 - 12:38

and search for all, and then hit enter.
12:38 - 12:41

And I've got a post here. We found the
12:41 - 12:43

post where
12:43 - 12:45

my password and name was put in there.
12:45 - 12:49

Let's open up resend. And you can see my
12:49 - 12:52

username here and the password there. So,
12:52 - 12:53

what we're going to do is actually fuzz
12:53 - 12:57

on that password there.
12:57 - 12:59

So, we've got it selected, I'm going to
12:59 - 13:01

remove that because I just do that every
13:01 - 13:03

time. I'm going to double-click, and we're
13:03 - 13:07

going to add the word list that it
13:07 - 13:09

is recommending. So, in this case, it was
13:09 - 13:10

FastTrack.
13:11 - 13:15

We'll find word lists.
13:15 - 13:18

File. Select.
13:18 - 13:20

Bingo bango.
13:20 - 13:23

Okay.
13:23 - 13:24

Add.
13:24 - 13:26

Okay.
13:26 - 13:28

Options.
13:28 - 13:31

Follow redirects
13:33 - 13:36

and we are going to start the fuzzer.
13:45 - 13:50

And we will investigate each of these
13:50 - 13:53

reflected.
14:05 - 14:07

We had a couple options that were
14:07 - 14:08

good. Security
14:08 - 14:13

and password. Let's try both of those.
14:17 - 14:20

Password.
14:25 - 14:29

So, we can see that this one is in fact
14:29 - 14:32

the password that actually worked when
14:32 - 14:34

we brute-forced it. So, it's just straight
14:34 - 14:36

up password.
14:37 - 14:39

There you go. So, that was
14:39 - 14:43

brute-forcing with web login.
14:43 - 14:45

ZAP extensions.
14:45 - 14:48

So, ZAP's really cool and that it has
14:48 - 14:49

a ton of extensions that we can actually
14:49 - 14:52

add to
14:52 - 14:56

our tool. And in this page, this part
14:56 - 14:57

here, they're actually giving us
14:57 - 14:59

instructions on where to find some of
14:59 - 15:01

these tools. So, I recommend going ahead
15:01 - 15:04

and actually locating these things, and
15:04 - 15:05

and testing them out if you're enjoying
15:05 - 15:07

ZAP. Then, learn more about these
15:07 - 15:09

things, and maybe you can even build your
15:09 - 15:12

own scripts that we can add. But for TryHackMe,
15:12 - 15:14

we are
15:14 - 15:17

happy with knowing that we can do that.
15:17 - 15:19

Let's go on to task 10.
15:21 - 15:25

And it's more documentation, though,
15:25 - 15:28

I kind of find it funny about this
15:29 - 15:31

particular section is that it...
15:31 - 15:33

The author's, like, "Yeah that's pretty
15:33 - 15:35

much all there is." Which is kind
15:35 - 15:37

of true. Because Burp is so
15:37 - 15:39

popular, it's got so much documentation
15:39 - 15:41

on it,
15:41 - 15:43

it's just so widely adopted that ZAP
15:43 - 15:45

sort of has been put into the
15:45 - 15:46

background.
15:46 - 15:47

But I don't think that should be the
15:47 - 15:49

case. It is actually a pretty cool tool,
15:49 - 15:52

and it's been around a while, and it has...
15:52 - 15:56

I just, I just, I enjoy using sound.
15:56 - 15:58

There you go. So, we can finish this room
15:58 - 16:02

with a completed.
16:03 - 16:05

And bingo bango. There you go. We have
16:05 - 16:09

finished the introduction to ZAP
16:09 - 16:10

room. Thanks for watching.

Title:: TryHackMe Introduction to OWASP ZAP Walkthrough
Description:: more » « less
Video Language:: English
Duration:: 16:13

	OEVIDEOS edited English subtitles for TryHackMe Introduction to OWASP ZAP Walkthrough
	OEVIDEOS edited English subtitles for TryHackMe Introduction to OWASP ZAP Walkthrough

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

TryHackMe Introduction to OWASP ZAP Walkthrough

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)