The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications
backtrack 5 r1
1. start Zap
java -jar zap.jar
root@bt:/pentest/web/owasp-zap# java -jar zap.jar
2. Open firefox
3. Point firefox to use zap as it’s proxy
Edit / Prefrences / Advanced / Network / Settings…
tick Manual proxy configuration
Http Proxy: = 127.0.0.1
Port: = 8080
OK / Close
4. Now connect to your choosen URL
5. OWASP Zap left column under Sites you will see the sites your looking at.
6. Right click and choose Attack / Active Scan site
It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.
7. Right click and choose Brute Force (Site = url, List = the url strings you want to test)
ZAP allows you to try to brute force directories and files.
A set of files are provided which contain a large number of file and directory names.
ZAP attempts to directly access all of the files and directories listed in the selected file directly rather than relying on finding links to them.
Brute force lists can be found in /pentest/web/owasp-zap/dirbuster