Popular Alternatives to OWASP Zed Attack Proxy (ZAP) for Windows, Mac, Linux, Web, iPhone and more. Explore 25+ apps like OWASP Zed Attack Proxy (ZAP), all suggested and ranked by the AlternativeTo user community. OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. OWASP Bricks is a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools like Mantra and ZAP. Bricks is a web application security learning platform built on PHP and MySQL.
Welcome back to the OWASP Top 10 training series. Today, we are going to install OWASP Juice Shop using both Heroku and Docker. This is the last step in our OWASP Top 10 lab setup. Last time, we installed OWASP WebGoat.
I’ve chosen to add it in this application so that we can experiment with attacking Nodejs backend targets with AngularJs front-end.
After this tutorial, we will start practicing the exploitation of the OWASP Top 10 vulnerabilities.If you haven’t been following along from the beginning, it’s not too late. All you have to do is follow the instructions on OWASP Zap or Burp Suite setup blog posts. Then install OWASP WebGoat and WebWolf. Or, if you prefer videos, I created the OWASP Top 10 video training series just for you.
In order to stay updated when new episodes are available, make sure to subscribe to the Friday newsletter below!
Why OWASP Juice Shop for this OWASP Top 10 training?
OWASP Juice Shop is a deliberately vulnerable modern web application built on the current single web application stacks. Besides, it has a front-end based on AngularJs and a backend in NodeJs. Moreover, it uses both sqlite and NoSQL MongoDB databases. It also has a rest API.
Juice Shop is an awesomely well maintained project. Therefore, it is a great target to hone your skills, whether you are a beginner or an experienced pentester.
A public instance is already available at https://juice-shop.herokuapp.com. However, I don’t recommend you directly test against it. In fact, you will often find some challenges already solved. Besides, it is a shared instance with others who might be malicious. Finally, it is especially not intended for brute forcing or automated testing. So be responsible and use it just to get a feel of Juice Shop features.
You can learn more on the Juice Shop architecture and its many features here.
Disclaimer: this is a deliberately vulnerable Web application. I strongly discourage running it on your host machine. For this reason, I a m going to continue working on my Debian 9 VM. For now, I’ll assume that you already have a Debian 9 VM running on your favorite Virtualization software. I am using VirtualBox.
How to Install OWASP Juice Shop on Heroku
Heroku is a cloud platform as a service (PaaS) supporting several programming languages. This means that you can deploy your code directly on the cloud and have a link to your web application. This is very convenient because it lets you deploy Juice Shop without any local setup.
- First, you need to have a Heroku account, which is free. Go to the signup page and register a new account.
- Go to the OWASP Juice Shop Github page and scroll down until you see the Heroku deploy button.
- Click on Deploy to Heroku, you will be redirected to your Heroku account.
- Give your app a unique name, and click on Deploy app button.
- Grab a cup of coffee ?
- After a while, you will have a brand new instance up and running.
- Click on the View button at the bottom to visit your instance.
How to Install OWASP Juice Shop locally using Docker
If you’d like to reduce network latency, or even not depend on the internet, working locally would be the way to go. We are going to use Docker to avoid installing all the dependencies. If you don’t have Docker installed yet, you can install it using the instructions on how to install Docker in the OWASP WebGoat tutorial.
- Connect to your Debian 9 VM that we created earlier.
- Download and run OWASP Juice Shop
- Go to: http://your-debian-9-vm-ip-address:3000
- You should see the same web page as https://juice-shop.herokuapp.com
Install Juice shop from source code
Some challenges are not available in neither Docker nor Heroku. For this reason, you have no choice but installing Juice shop from source code.
Step 1: NodeJS installation
- Download the Linux64 bit binaries
- Extract it to a destination of yours, mine is
/home/thehackerish/nodejs
- Update your PATH variable
Step 2: Juice Shop from source
- Go to Juice Shop’s release page and choose the archive you would like. Because I am using a Debian VM with a nodejs version 12, I am going to choose this one.
- Extract the archive
- Change directory to the folder and run the application
- Now all you have to do is visit your browser to verify that your challenges are available.
Testing our installation
Now that Juice Shop is up and running, let’s see if we can capture HTTP requests using our previously installed web proxies.
- Make sure you have either Burp Suite or Zaproxy up and running on your host machine.
- Using the FoxyProxy add-on, choose a web proxy.
- Go to the URL of Juice Shop.
- Verify that you can capture HTTP traffic.
The following screenshots demonstrate that my local Juice Shop instance is well configured with Burp Suite.
The following screenshots demonstrate that my local and Heroku Juice Shop instances are well configured with OWASP Zap.
Congratulations! You’ve finished setting up the lab for the OWASP Top 10 training! In the next episode, we are going to start exploiting our first vulnerability. Stay tuned!
A video is available on Youtube if you enjoy learning by watching!
Checksums for all of the ZAP downloads are maintained on the 2.9.0 Release Page and in the relevant version files.
As with all software we strongly recommend that ZAP is only installed and used on operating systems and JREs that are fully patched and actively maintained.
ZAP 2.9.0
Windows (64) Installer | 94 MB |
Windows (32) Installer | 94 MB |
Linux Installer | 94 MB |
Linux Package | 92 MB |
MacOS Installer | 125 MB |
Cross Platform Package | 108 MB |
Core Cross Platform Package | 35 MB |
- Most of the files contain the default set of functionality, and you can add more functionality at any time via the ZAP Marketplace.
- The core package contains the minimal set of functionality you need to get you started.
- The Windows and Linux versions require Java 8 or higher to run.
- The macOS version includes Java 8 - you can use the Linux or Cross Platform versions if you do not want to download this.
- The installers are built using a multi-platform installer builder.
- For more information about this release see the release notes.
Launch the installation wizard by double clicking on the downloaded executable file
Read the License agreement and click 'Accept' to continue the installation
Select 'Standard' or 'Custom' installation
Click 'Finish' to exit set up
Docker
Stable | The standard release | docker pull owasp/zap2docker-stable |
Bare | Minimal release, ideal for CI | docker pull owasp/zap2docker-bare |
Weekly | Updated every week | docker pull owasp/zap2docker-weekly |
Live | The very latest source code | docker pull owasp/zap2docker-live |
- See Docker for more information.
ZAP Weekly
Weekly Cross Platform Package | 129 MB |
Owasp Zap Proxy Download
- We generate weekly releases of ZAP from the develop branch, typically every Monday.
- These are just intended for people who want to use all of the features we've added since the last ‘full’ release but don't want the hassle of building ZAP from the source code.
- While we endeavor to ensure that weekly releases are robust, things may be broken or only partially implemented.
- It is cross platform (Windows, Linux and macOS) but does not include any installers.
- It requires Java 8 or higher to run.
Snapcraft
- On Linux systems you can use Snapcraft.
- To install:
snap install zaproxy --classic
- To run:
zaproxy
Homebrew Cask
Owasp Zap Download Windows 10
- On Mac OS X you can also install ZAP using Homebrew Cask
- To install:
brew cask install owasp-zap
Flathub
- On Linux systems you can also use Flathub.
- To install:
flatpak install flathub org.zaproxy.ZAP
- To run:
flatpak run org.zaproxy.ZAP
Latest Versions
Owasp Zap Tutorial
- We maintain a page containing XML with links to the latest ZAP release files
- You can use this to automatically pull down the latest ZAP release for the platform you need.
- ZAP uses similar URLs when checking for updates.
- These are version specific and define the add-on on the ZAP Marketplace for that release stream.
- The 2.9 release stream uses https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.9.xml
- The development code uses https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-dev.xml
- At the moment these files are the same, but it does allow us to maintain different versions of add-ons for different versions of ZAP, if we need to support this in the future.