Using Owasp Zap to validate or pentest web sockets

Introduction

Greetings, if you are a QA engineer or Pentester so you may face application that built on web sockets like video conference apps so you may face problem to observe app communication, especially if you test this app as a blackbox, so you need an azamzing tool to deal with this app.

Owasp Zap

OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

It is one of the most active Open Web Application Security Project (OWASP) projects[2] and has been given Flagship status.[3]

When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using HTTPS.

It can also run in a daemon mode which is then controlled via a REST API

Let’s Get Started

1- Install Zap 

2- Prepare app to test its web sockets

3- Open Zap

4- Select Manaul Explore Mode

5- Insert target url and select web browser then click on launch browser

** if your selected target using web socket you will see new tab added to zap called “WebSockets”

you can observe all channels that app used and observe all signals that app send to servers

6- You can select any siganl and edit it then send it again to server to check it’s response

** Also you can fuzz your target with send this signal many times with different payloads

Leave a Reply

Your email address will not be published. Required fields are marked *