Skip to main content

OWASP ZAP (Zed Attack Proxy) Lab

Hands-On Lab


Photo of

Training Architect





In this lab the student is able to use the OWASP ZAP (Zed Attck Proxy) to do a pentest (penetration test) on a sample application. The application staged for scanning is the WebGoat web application. Two AWS EC2 instances are created. The first is to host the ZAP application. The second is to host the WebGoat application. The student is guided through the process of running ZAP from their Linux command line to execute the test. Then the student is able to interogate the results and consider various resources for determining appropriate remediation.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

This lab initiates two AWS EC2 server instances. The first is the server that hosts the OWASP ZAP (Zed Attack Proxy) program. The second EC2 instance hosts the WebGoat sample web appplication.

The first step is to access the WebGoat application through the student's browser and register the clouduser username with a password of password. This may be done by accessing the WebGoat application through the following URL:

http://[Public IP Address (of the WebGoat server)]:8080/WebGoat

Once in the system click register a user and add:

username: clouduser
password: password

After the WebGoat server has been prepared the student should use the terminal emulator of their choice to access the EC2 Instance that will be used to run the OWASP ZAP program. This can be done through the following command:

$ ssh cloud_user@[Public IP Address (of the OWASP Zap Server)]

The password for cloud_user is found on the lab web page.

Once the student has gained access to the Owasp ZAP instance, you may run the scan by executing the shell script as follows:

$ sudo sh [Private IP Address (of the WebGoat server)]

*Note: It is very important that you pass the script the PRIVATE IP ADDRESS of the WebGoat server as the first execution argument.

After the OWASP ZAP program has run, the student should copy the html report to the Apache Web Server root directory. This can be done with the command:

$ sudo cp zapreport.html /var/www/html

Once the report has been copied the student may view the report through their browser by using the following URL address:

http://[Public IP Address (of the Owasp ZAP server)]/zapreport.html

The video contains the lesson explaining aspects of the test and remediation techniques.

This completes the lab.