-
Notifications
You must be signed in to change notification settings - Fork 0
/
ZAP.txt
78 lines (56 loc) · 2.64 KB
/
ZAP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
OWASP Zed Attack Proxy
---
About:
OWASP Zed Attack Proxy (ZAP) is a penetration testing tool.
---
Download from Timweb or depo.
---
Install:
Install Configure local host and port 8080
---
Web Client Browser:
Configure your browsr to send traffic to your localhost 8080.
--------------------
ZED ATTACK PROXY (ZAP):
This open source tool was developed at the Open Web Application Security Project (OWASP).
Its main goal is to allow easy penetration testing to find vulnerabilities in web applications.
It is ideal for developers and functional testers as well as security experts.
ZED ATTACK PROXY FEATURES:
- Intercepting Proxy
- Automated Scanner
- Passive Scanner
- Brute Force Scanner
- Fuzzer
- Spider
- Web Sockets
- REST API
GETTING STARTED WITH ZAP:
Clicking on quick start tab will let the user to insert a url for his/her web application
and start the attack. Once the attack is started, ZAP will crawl through his/her web
application and record all of the url's from his/her domain. However, it will skip url's
from other domains. Secondly, ZAP will run different attacks scenarios against the found
url's and record the results as well.
Configure ZAP as a proxy:
ZAP can be used as a proxy. The local web browser can be configured to be used as a proxy
while browsing a web application. This allows ZAP to record the traffic and use that traffic
for a replay attack while modifying the request parameters.
Here is how to do it:
- Activate ZAP as a proxy
- Open ZAP --> Tools --> Options --> Local Proxy
- Configure the address and port on which ZAP will listen for requests
---> Address: localhost
---> Port: 8080
- Change local browser to use this proxy: Settings --> Network --> Proxy Settings
The browser now can be used to access the web application. ZAP will automatically record
the traffic. In the "Sites" window, all websites and requests that ZAP recorded will be
displayed. Right click on a single site and a user should be able to configure ZAP to
attack the found URLs.
Integrating ZAP with your continuous delivery lifecycle:
Overall, ZAP is a great tool to be used when doing penetration testing. ZAP also can be
integrated in continuous delivery/delivery lifecycle using Jenkins. To automate the
penetration testing, there need to be automated acceptance tests that drive the web
application. Tests can be written using jBehave or Cucumber. The following diagram shows
the setup; also, ZAP needs to be configured as a proxy to record the traffic of a web
browser. jBehave/Cucumber --> Browser --> ZAP --> Web application. After using the previous
diagram to run intrusion tests, you will get multiple results and some of them should be
fixed.