web application – owasp_zap

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications

backtrack 5 r1

/pentest/web/owasp-zap

1. start Zap
java -jar zap.jar
root@bt:/pentest/web/owasp-zap# java -jar zap.jar

2. Open firefox
root@bt:~# firefox

3. Point firefox to use zap as it’s proxy

Edit / Prefrences / Advanced / Network / Settings…
tick Manual proxy configuration

Http Proxy: = 127.0.0.1
Port: = 8080

OK / Close

4. Now connect to your choosen URL

5. OWASP Zap left column under Sites you will see the sites your looking at.

6. Right click and choose Attack / Active Scan site

Active Scan

It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.

———————————————————————————–

7. Right click and choose Brute Force (Site = url, List = the url strings you want to test)

ZAP allows you to try to brute force directories and files.
A set of files are provided which contain a large number of file and directory names.
ZAP attempts to directly access all of the files and directories listed in the selected file directly rather than relying on finding links to them.

———————————————————————————–

Brute force lists can be found in /pentest/web/owasp-zap/dirbuster

2 thoughts on “web application – owasp_zap

  1. You actually make it seem really easy along with your presentation however I in finding this topic to be actually something that I think I’d by no means understand. It seems too complex and extremely vast for me. I am taking a look forward for your next submit, I will attempt to get the hold of it!

    1. Hi Grubaugh Nice forum name. Thanks for your post., we like knowing that people are out there reading our work. If you have any questions just ask as happy to help. I be honest pentesting is not easy, it can be frustrating and much harder than most ever know, but don’t give up as you will find that you make progress all the time.

      Remember to have fun.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s