WebApps Pentesting with ZAP and its AJAX Spider Plugin

We recently developed a new plugin for ZAProxy that integrates a web spider called Crawljax, which is an open source Java spider of AJAX web applications.

By using the AJAX Spider plugin, we can discover the pages and dynamic-built links of a targeted web application, whose results can be later used by ZAP to find its vulnerabilities.

To set up the plugin, you have to perform the three following steps:

1. Download the last release of ZAP from the zaproxy downloads tab. It is required ZAP>=1.4.1. 
2. Download the AJAX Spider plugin from the zap-extensions site.
3. Put the extension in the plugin folder of ZAP.

After this, ZAP and the AJAX Spider are ready to run. The AJAX Spider plugin can be invoked in the attack menu of the Sites Tab, as shown in [1] of the following image. The results of the crawling process will be shown in the AJAX Spider tab [2].

There are some parameters that you might want to configure before running it regarding the local proxy that ZAP creates to communicate with the crawljax instance, and regarding the crawling process:

• In the local proxy options[1], you can configure its port an IP address.
• In the crawler options[2], you can choose the web browser to be used by the plugin, the number of threads and the browser windows to open. You can also activate the "scan in depth option", which slows down a bit the process but improves its final results.

 This is shown in the next image:

When the process is started, a set of windows will be opened and the results will appear in the Sites tab[1] and also in the Spider Tab[2] where the found URLs can be clicked and the HTTP request and response will appear in [3].

I made a brief video that shows how to crawl a site and later use the generated web tree to find vulnerabilities in the targeted web application by using ZAP.

The plugin is still in alpha phase, if you have any comment, suggestion or question do no hesitate to contact me or to open a thread in the ZAP users' group.