Read: Class 37 Automated AppSec with ZAP
Getting Started with Zed Attack Proxy
What are the three common stages of the Penetration Testing process and what tasks are performed at each one?
-
Explore - The tester attempts to learn about the system by determining what software is in use, what endpoints exist, what patches are installed, etc.
-
Attack - The tester attempts to exploit known or suspected vulnerabilities to prove they exist.
-
Report - The tester reports the results of testing including vulnerabilities found, how difficult exploits were, and severity.
A "man-in-the-middle proxy" sits between the browser and web application. It intercepts and inspects the requests and responses between them, modifies them if needed, and then forwards them on. In non-technical terms, it's like an intermediary that can listen in on and potentially alter the communication.
The traditional ZAP spider - It discovers links by examining the HTML in responses. It is fast but not effective for AJAX applications.
The AJAX spider - It explores by invoking browsers to follow JavaScript generated links. It is slower, requires more configuration, and is better suited for AJAX applications.
The traditional spider is best suited for traditional web applications that generate links in HTML. The AJAX spider works better for AJAX web applications that generate links using JavaScript.