Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
  • Labs icon Lab
  • A Cloud Guru
Google Cloud Platform icon

OWASP ZAP (Zed Attack Proxy) Lab

In this lab the student is able to use the OWASP ZAP (Zed Attack Proxy) to do a pentest (penetration test) on a sample application. The application staged for scanning is the WebGoat web application. Two AWS EC2 instances are created. The first is to host the ZAP application. The second is to host the WebGoat application. The student is guided through the process of running ZAP from their Linux command line to execute the test. Then the student is able to interogate the results and consider various resources for determining appropriate remediation. > *NOTE:   This lab takes some extra time to provision. If the goat web site does not come up right away, please give the lab a few minutes to finish setting up. Due to recent system changes & version updates this lab will no longer show the same vulnerabilities as depicted in the Lab video.  At times there may even be no vulnerabilities found.   > I recommend that you still complete the lab and the follow up activities as shown, but not be concerned or disappointed if you do produce the same vulnerabilities as shown in the video. > Work is underway to bake in some vulnerabilities so that students always have something to research and try to fix*.

Google Cloud Platform icon

Path Info

Clock icon Beginner
Clock icon 1h 30m
Clock icon Nov 14, 2018

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Table of Contents

  1. Challenge

    Use the student's browser to run the WebGoat application and Register the clouduser username

    The student should run their browser (Chrome is recommended) and then navigate to the address of the WebGoat instance.

    http://[EC2 Server Public-IP]:8080/WebGoat

    *Note: The application is listening on port 8080 not 80

  2. Challenge

    Register the clouduser username to the WebGoat instance

    The student should choose to register the user. The following username and password should be used.

    username: clouduser
    password: password

    Once the username has been setup, the student should go to the next task.

  3. Challenge

    Use SSH or Terminal to access the ZAP EC2 Instance as cloud_user

    After registering the clouduser username in the WebGoat application, the student should use the terminal emulator of their choice to access the OWASP ZAP EC2 Instance as cloud_user.

    $ ssh cloud_user@[PUBLIC IP ADDRESS (of the ZAP server)]

    Once logged in, proceed to the next task.

  4. Challenge

    Run The OWASP Zap PenTest

    The student will see a shell script in the /home/cloud_user directory.

    Run that script with the following command:

    $ sudo sh [PRIVATE IP ADDRESS (of the EC2 Instance running WebGoat]

    *Note: Please use the Private IP address of the WebGoat server to avoid running the PenTest across Amazon's external network segments.

  5. Challenge

    Copy the 'zapreport.html' Report to the Apache Web Server Directory

    Once the OWASP ZAP scan has completed, the student can use the following command to copy the report to the apache Web Root directory.

    $ sudo cp zapreport.html /var/www/html

    *Note: sudo is required because of the restrictive write permissions on the Apache Webroot directory.

  6. Challenge

    Use the Student's Browser To View the OWASP ZAP Report

    Once the zapreport.html file has been copied to the Apache Web Root directory, the student may view the report with the following URL Address:

    http://[ZAP EC2 Public IP Address]/zapreport.html

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans