Monday, August 20, 2012

WebApps Pentesting with ZAP and its AJAX Spider Plugin

We recently developed a new plugin for ZAProxy that integrates a web spider called Crawljax, which is an open source Java spider of AJAX web applications.

By using the AJAX Spider plugin, we can discover the pages and dynamic-built links of a targeted web application, whose results can be later used by ZAP to find its vulnerabilities.

To set up the plugin, you have to perform the three following steps:
  1. Download the last release of ZAP from the zaproxy downloads tab. It is required ZAP>=1.4.1. 
  2. Download the AJAX Spider plugin from the zap-extensions site.
  3. Put the extension in the plugin folder of ZAP.
After this, ZAP and the AJAX Spider are ready to run. The AJAX Spider plugin can be invoked in the attack menu of the Sites Tab, as shown in [1] of the following image. The results of the crawling process will be shown in the AJAX Spider tab [2].

There are some parameters that you might want to configure before running it regarding the local proxy that ZAP creates to communicate with the crawljax instance, and regarding the crawling process:
  • In the local proxy options[1], you can configure its port an IP address.
  • In the crawler options[2], you can choose the web browser to be used by the plugin, the number of threads and the browser windows to open. You can also activate the "scan in depth option", which slows down a bit the process but improves its final results.
 This is shown in the next image:

When the process is started, a set of windows will be opened and the results will appear in the Sites tab[1] and also in the Spider Tab[2] where the found URLs can be clicked and the HTTP request and response will appear in [3].

I made a brief video that shows how to crawl a site and later use the generated web tree to find vulnerabilities in the targeted web application by using ZAP.

The plugin is still in alpha phase, if you have any comment, suggestion or question do no hesitate to contact me or to open a thread in the ZAP users' group.


  1. Are there any plans to provide support for Safari Browsers .

    1. Great Article IoT Projects for Students

      Deep Learning Projects for Final Year

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. @Anonymous: not in the near future. However, if you happen not to have chrome or firefox available, you can still use the htmlunit browser, which comes with the spider package.

  3. Wow! It is a completely different topic. Great choice of Topic! You can apply for a Turkey visa online. You can get your Turkey Visa in just 1 hour by selecting the express processing type. It only takes 5 minutes to apply for an electronic visa Turkey. Apply Online.

  4. I think this is one of the most important pieces of information for me. Thanks a lot for posting.. What is FRRO Form C? The C-Form mechanism helps the authorities to locate and track foreigners in India to enhance safety & security. You can read info about FRRO Form C via India evisas guide.

  5. This is a wonderful inspiring article. I am practically satisfied with your great work. You have really put together extremely helpful data. Keep it up.. Are you planning to visit Kenya?For this, you need to fill the Kenya Visa Application Form and pay the kenya evisa cost online.

  6. This is a very useful article. Indian visa application photo requirements you can read online via India e visas website. Indian e visa photo requirements for Indian visa are available on all Indian visa websites. You can read all Indian visa photo specifications online.

  7. I am happy to see your work. Some additional charges may apply in case of emergency in India visa fees.

  8. Wow, that's what I was looking for, what stuff! Present here on this website, thanks to the admin of this website.. Turkish Visit Visa is an electronic travel authorization which is a 100% online Turkish evisa process, which takes hardly 3-5 minutes to fill out an online application.


  9. This is incredibly useful information. This article actually inspires me to follow your lead. When you are considering a trip to India, I need an India tourist visa covid, I read about this website and decided to use it. It's really good you can apply for your Indian visa online. In just a few days, I got my tourist visa to India online. When there were errors, they helped and understood the situation.

  10. İnstagram takipçi satın al! İnstagram takipçi sitesi ile takipçi satın al sende sosyal medyada fenomen olmaya bir adım at. Sende hemen instagram takipçi satın almak istiyorsan tıkla:

    1- takipçi satın al

    2- takipçi satın al

    3- takipçi satın al

  11. Hello, I wanted to write a little Info related to Visa. Are you interested in traveling to any country? Yes, you can evisa apply online. You can fill out your visa application form online within 5 to 10 minutes via our Visacent website. We offer visas to citizens of over 190 countries. You can read more info about visas via our website.

  12. You are sharing a wonderful article with your audience. Readers are already enjoying it. I am here to inform the travelers who are willing to visit Turkey that they need to fill a Turkey visa application to enter Turkey. Online process makes makes easy to get evisa.

  13. That is the same thing that I am trying to find. Thanks for sharing this information… keep it up The process of e visa Turkey is easy and simple, the application form of Turkey evisa is easy to fill out for everyone, if you want to apply for a visa check out the page.