Beruflich Dokumente
Kultur Dokumente
The OWASP Zed Attack Proxy (ZAP) is one of the worlds most popular free
security tools and is actively maintained by hundreds of international
volunteers*. It can help you automatically find security vulnerabilities in your
web applications while you are developing and testing your applications. It is
also a great tool for experienced penetration testers to use for manual
security testing.
FEATURES
Active Scan
-
Break Point
A Break Point allows you to intercept a request and change the values
in that request before it submits to the server (GET) or it displays to
the user (POST).
Demo :
o Assuming that we have these request on the sites tree.
o
o
o
o
o
o
o
Select the request you want (POST in this case) and click the
Break Point button on the toolbar.
Assuming that my username and password will be account,
password.
After click login, you will redirect to ZAP (Break Point Tab) to start
changing the values in the body of POST request.
After finishing changing the values, click on Play button to submit
your new username and password.
Done
Demo :
o For both spider and AJAX spider to configure them we choose
Tools -> Options.
o Select the site on the Sites Tree.
o
Passive Scanner
ZAP passively scans all of the responses from the web application being tested. Passive
scanning does not change the responses in any way and is therefore safe to use. Scanned is
performed in a background thread to ensure that it does not slow down the exploration of an
application.
adding tags and raising alerts for potential issues.
If you select Low then more potential issues will be raised which may increase
the number of false positives.
If you select High then fewer potential issues will be raised which may mean that
some real issues are missed (false negatives).
Force Browse
Forced browsing is an attack where the aim is to enumerate and access resources that are not
referenced by the application, but are still accessible.
This attack is also known as Predictable Resource Location, File Enumeration, Directory
Enumeration, and Resource Enumeration.
Demo
ZAP allows you to try to discover directories and files using forced browsing
Create new tab Forced Browse
Choose site and then press start forced browse button to begin the test
As you see, there will be a lot of hidden directory but we are able to access
Fuzzing
Fuzzing is a technique of submitting lots of invalid or unexpected data to a target.
The fuzzer does not detect vulnerabilities, its there to help you find vulnerabilities manually
Demo
Highlight one of the strings you wish to fuzz in the Request tab;
Payload Generators
Payload Generators generate the raw attacks that the fuzzer submits to the target
application.
Payload Processors can be used to change specific payloads before they are
Payload Processors
submitted.
Fuzz Location Processors can be used to change all of the payloads before they
are submitted.
Demo :
Web scanner test site ?
Create txt file contain password
Or perform sql injection test
http://kcntt.duytan.edu.vn/Home/ArticleDetail/vn/128/2461/bai-01-so-luoc-ve-fuzzing-testing
The purpose is to In other words, once you've added the ZAP Root CA certificate to your list of
trusted Root CAs, your browser doesn't recognize the man in the middle.
1. Go to Internet options
2. Tab Content
3. Click certificates
4. Click tab trusted root certificates
5. The OWASP ZAP Root CA should be ther
WebSockets
ZAP is able to:
Demo:
Websocket.org/echo.html
1.
2.
Once connected, enter a message and press the Send button. The output will appear in
the Log section. You can change the message and send again multiple times.
3.