The ZAP (OWASP Zed Attack Proxy ) is an integrated penetration testing tool for finding vulnerabilities in web applications. A significant part of ZAP is active scanning for known vulnerabilities, like SQL injection etc. For more details https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Installation- You can download zap tool from https://www.owasp.org/index.php/Category:OWASP_Download
- Unzip the pack and start the pack according to your platform
1. First we need to activate ZAP as a proxy. Open ZAP -> Tools -> Options -> Local Proxy. Then
add
address and port to
listen for requests
Address: localhost
Port: 8085
Port: 8085
2. Change the local browser to use this proxy. (I'm using Firefox here)
Settings -> Network -> Proxy Settings
3. Using the proxy change web browser access the application (all the work flows) you wish to run the security scan.(All scenarios you wish to run the security test will be recorded ).As you see in the history tab you will find all URls with their security level, recorded by ZAP.
4. Running Active scan for recorded scenarios. (Active scanning is find potential vulnerabilities by using known attacks against the selected targets).
- As you see in the image select the site you wish to scan and click active scan.It will pop up a new window press start scan button in that window. It will scan selected site links (POST and Get Requests) .
- Once security vulnerability has been found it will be noted at the bottom left hand corner of the Interface with a flag indicating the risk: High, Medium, Low, Informational, and False Positives. as shown.
- For detail description select alert tab.
Note that ZAP has given you the benefit of exporting findings as Reports.
0 comments :
Post a Comment