It's always a good idea to know how an attack at the basic level works. Manual techniques for use often find holes that even the most sophisticated tool can not provide. However, sometimes using one of these tools can make the job a lot easier, especially if you have a solid foundation for doing so. Such a tool can help us to carry out a cross-site request forgery with minimal difficulty.
Introduction to OWASP ZAP
The OWASP Zed Attack Proxy (ZAP) is a popular open source web application security scanner developed by the OWASP project. It is a Java-based tool that provides a convenient GUI and comes standard with Kali Linux. In addition to its powerful scanner that can automatically detect many vulnerabilities, it also includes many useful features for manual testing such as spidering, fuzzing, and proxying.
The right section of ZAP contains the scanners Functionality, where all you have to do is enter a valid URL and click on "Attack". This section also displays details about individual requests and responses.
The left panel shows the layout of a website after scanning or spidering; This is useful for separating individual pages and providing a comprehensive overview of the content of a website. Finally, the lower section of ZAP contains the request history, the search, and any alerts that might be displayed during a review.
In this tutorial, we use ZAP as a proxy to intercept traffic. Once our browser is set to manual proxy configuration, ZAP will automatically act as a proxy; This makes it easier to view and modify requests that come from the application being tested.
Step 1: Configure the Environment
For this demonstration, we use the vulnerable Web application Mutillidae, which is included as part of the Metasploitable 2 virtual machine. OWASP ZAP is used to catch all requests and modify them to execute CSRF.
To replicate this attack, we need to set up two different users. Create a new account for each of the two users by calling the following page with the appropriate IP address:
Here are we can user1 with the password password :
and similar user2 with the password hunter2 :
Now we can log in as user1 by visiting the login page:
Before we Starting ZAP We need to make sure that our browser is configured correctly to intercept traffic. In Firefox, go to "Settings," click "Advanced," followed by "Network," and finally "Settings." Set the proxy configuration to manual and use 127.0.0.1 (localhost) on port 80 . Enable "Use this proxy server for all protocols" and make sure no entries are listed under "No proxy for". Now click on "OK" and we are ready to open ZAP.
Step 2: Open ZAP
When we start ZAP, we will be using a few persistence options. At the moment, we can just accept the default, which does not continue the session:
Now, in our web application, go to the following URL to add a blog entry for user1:
Enter here your wish and click on "Save blog entry" to add the blog:  How to Abuse Session Management with OWASP ZAP ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>