Monday, 3 October 2022

OWASP ZAP Tool

 
OWASP ZAP Tool 

The Zed Attack Proxy (ZAP) developed by Open Web Application Security Project (OWASP). OWASP operates as a non-profit focused on software security. This web application assessment tool written in Java. For Automate the discovery of links  and content of web application, ZAP used  crawlers. Crawler is a program that automatically searches documents on the Web. ZAP uses its position between the user’s browser and the web application to intercept and inspect user requests, modify the contents if required, and then forward them to a web server.

ZAP also include automated vulnerability scan engine for vulnerability. ZAP will scan a web application and determine if it has common vulnerabilities like cross-site scripting, injection vulnerabilities and input validation issues. ZAP also determine if the web application server has non-secure files and directories. ZAP also show you  insecure permissions and other configuration problems.

Following are some screen shots of  ZAP, which we used to perform web application scan. we used Kali Linux environment for these scanning,

OWASP-ZAP  -h


ZAP Welcome Screen 


For Scanning Type the URL and click on attack. You can also select traditional and ajax on attack.

ZAP Scan Website

After Scanning you click on Alerts, which show you alerts on scan web site,

ZAP Alerts

On clicking on each alert displayed in that window, It's show  the vulnerability detected in the right side of the Information Window. You can also check response of webpages on clicking on response tab. You see the contents of the header and body of the response and any alert generated  will be highlighted.

The Heads Up Display (HUD) is a new an innovative interface that provides access to ZAP functionality directly in the browser. it's provides alert indicators and scan tools within the browser for use as you open pages within a website.



There is a good guide available for use ZAP,   just click on learn more



*As per my last blog, In future  we discuss one-by-one Vulnerability Assessment  (VA) tools. If you have any question, you can ask me in comments section and follow my blogs for cyber security tools and discussion.









No comments:

Post a Comment

Building Own SIEM Environment using Opensource Tools (Part 4)

  Building Own SIEM Environment using Opensource Tools (Part 4) Wazuh Server As per last blog, we are going to install Wazuh server and Wazu...