OWASP is a non-profit that lists the Top Ten Most Critical Web Application Security Risks, they also have a GUI Java tool called OWASP Zap that you can use to check your apps for security issue.
I have a number of guides on moving hosting away form CPanel , Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. It is important that you always update your site and software and test your sites and software for vulnerabilities. Zap is free and completely open source.
Disclaimer, I am not an expert (this Zap post and my past Kali Linux guide will be updated as I learn more).
OWASP Top 10
OWASP has a top 10 list of things to review.
Download the OWASP 10 10 Application security risks PDF here form here.
Using the free OWASP Zap Tool
Snip from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.”
Here is a quick demo of Zap in action.
Do check out the official Zap videos on youtube: https://www.youtube.com/user/OWASPGLOBAL/videos if you want to learn more.
Download Zap from here.
Copy to the app to the OSX Application folder
Open OSX’s Privacy and Security screen and click Open Anyway
OWASP Zap is now Installed
Ready for a Scan
But before we do let’s check out the Options
OWASP Zap allows you to label reports to ad from anyone you want.
Now let’s update the program and plugins, Click Manage Add-ons
Click Update All to Update addons
I clicked Update All
Installed some plugins
Zap is Ready
Add a site and right click on the site and you can perform an active scan or port scan.
First Scan (https failed)
I enabled unsafe SSL/TLS Renegotiation.
This did not work and this guide said I needed to install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from here.
The extract files to /Library/Java/JavaVirtualMachines/%your_jdk%/Contents/Home/jre/lib/security
I restarted OWASP Zap and tried to scan my site buy it appears Cloudflare (that I recently set up) was blocking my scans and reported error 403. I decided to scan another site of mine that was not on Cloudflare but had the same Lets Encrypt style SSL cert.
fyi: I own and set up the site I queried below.
OWASP Zap scan performed over 800 requests and tried traversal exploits and many other checks. Do repair any major failures you find.
Generating a Report
To generate a report click Report then the appropriate generation menu of choice.
FYI: The High Priority Alert is a false positive with an HTML item being mistaken for a CC number.
I hope this guide helps someone. Happy software/server hardening and good luck.
Check out my Kali Linux guide.
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
V1.3 fixed hasting typo.
v1.2 False Positive
v1.1 updated main features
v1.0 Initial post