Study of the techniques used by OWASP ZAP for analysis of vulnerabilities in web applications

Abstract: Today, new web applications are made every single day with increasingly more sensitive data to manage. To ensure that no security vulnerabilities such as data leakage in web applications exist, developers are using tools such as a web vulnerability scanner. This type of tool can detect vulnerabilities by automatically finding input fields where data can be injected and performing different attacks on these fields. One of the most common web vulnerability scanners is OWASP ZAP. Web vulnerability scanners were first developed during a time when traditional multi-page applications were prominent. Nowadays, when modern single-page applications have become the de facto standard, new challenges for web vulnerability scanners have arisen. These problems include identifying dynamically updated web pages. This thesis aims to evaluate the techniques used by OWASP ZAP and several other web vulnerability scanners for identifying two of the most common vulnerabilities, SQL injections and cross-site scripting. This issue is approached by testing the selected web vulnerability scanners on deliberately vulnerable web applications, to assess the performance and techniques used, and to determine if the performance of OWASP ZAP could be improved. If an identified technique in another web vulnerability scanner performed better than the counterpart in OWASP ZAP, it will be implemented in OWASP ZAP and evaluated. From the tests performed, it could be concluded that the performance of OWASP ZAP was lacking in the search for input fields, where a depth-first search algorithm was used. The breadth-first search algorithm used by other scanners was shown to be more effective in specific cases and was therefore implemented in OWASP ZAP. The result shows that the use case for the two algorithms differs between web applications and by using both of the algorithms to find vulnerabilities, better performance is achieved.