The Zed Attack Proxy (ZAP) developed by Open Web Application Security Project (OWASP). OWASP operates as a non-profit focused on software security. This web application assessment tool written in Java. For Automate the discovery of links and content of web application, ZAP used crawlers. Crawler is a program that automatically searches documents on the Web. ZAP uses its position between the user’s browser and the web application to intercept and inspect user requests, modify the contents if required, and then forward them to a web server.
ZAP also include automated vulnerability scan engine for vulnerability. ZAP will scan a web application and determine if it has common vulnerabilities like cross-site scripting, injection vulnerabilities and input validation issues. ZAP also determine if the web application server has non-secure files and directories. ZAP also show you insecure permissions and other configuration problems.
Following are some screen shots of ZAP, which we used to perform web application scan. we used Kali Linux environment for these scanning,
On clicking on each alert displayed in that window, It's show the vulnerability detected in the right side of the Information Window. You can also check response of webpages on clicking on response tab. You see the contents of the header and body of the response and any alert generated will be highlighted.
The Heads Up Display (HUD) is a new an innovative interface that provides access to ZAP functionality directly in the browser. it's provides alert indicators and scan tools within the browser for use as you open pages within a website.
There is a good guide available for use ZAP, just click on learn more
*As per my last blog, In future we discuss one-by-one Vulnerability Assessment (VA) tools. If you have any question, you can ask me in comments section and follow my blogs for cyber security tools and discussion.
No comments:
Post a Comment