Owasp Zap

The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications.

Owasp: Open Web Application Security Project

Working:

ZAP creates a proxy server and makes your website traffic pass through that server. It comprises of auto scanners that help you intercept the vulnerabilities in your website.
Workflows


This is a live scanning screenshot, when I tried to attack this very blog. Seems that google blogs pretty well secured, although there were 1 medium level threat and 6 low level threats, that were found.
We can also generate a documentation, of the threats that were found out using this tool.






Here is the report that was generated, when I scanned this very blog. Seems to be very secure, having 2 medium level threats and 6 low level threats.  

Following are the different modes of attacks, that we can lauch through this tool:



  • Quick Attack: This helps you test the application using ZAP in the quickest way possible. Under the tab Quick Start, put the URL in the URL to attack field and click on the 'Attack' button. ZAP will use its spider to crawl through the application, which will automatically scan all of the pages discovered. It will then use the active scanner to attack all of the pages. This is a useful way to perform an initial assessment of an application.
  • Spider: It is used to automatically discover new resources/URLs on your website. It visits those URLs, identifies the hyperlinks and adds them to the list.
  • Active Scan: It is used to find the potential vulnerabilities by using the known attacks against the selected targets. It gets its targets from the spider attack.
  • There are more attacks which ZAP provides, other than the ones mentioned above; like AJAX Spider, Fuzz, Forced Browse Site etc.

    Since it is an open source tool, it's a very useful tool for security testing of your web application.

    • Comments

    Post a Comment

    Popular posts from this blog

    Nmap

    Image
    What is Nmap? Nmap is a free and open-source network scanner. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. How to download Nmap? If you are using Kali Linux Operating System, Nmap is already pre-installed. If you are using any other operating system, then we can download it at:   https://nmap.org/download.html So, once we've downloaded the Nmap latest version, we are ready to run it. Installing is a simple task and can be completed within a minute or two. Working: Open the command prompt with admin privileges and type: nmap We get a result like this: Nmap with ip address: So in this as we can see, I scanned a random IP addresss using Nmap. Through this command we get to know which all ports in the target system are closed and open, through which we...
    Read more

    Netsparker Tool

    Image
    Netsparker is an easy to use false positive free web application security tool. It helps us identify web vulnerabilities such as SQL Injection and XSS. Some main features of Netsparker : Vary accurate vulnerability detection with the unique Proof-Based Scanning Technology. Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages. REST API for seamless integration with the SDLC(Software Development Life Cycle), bug tracking systems etc. It is scalable. So basically, using Netsparker we can do three types os scan: 1.A Detailed Scan: 2.An Executive Summary Scan:  Executive Summary Scan Report   3.PCI Compliance Report: PCI Compliance Report In Netsparker the  vulnerabilities are classified according to the amount of harm it can cause: 1.Critical: Bash Command Injection Vulnerability (Shellshock Bug) Blind Command Injection   Blind SQL Injection   Server-Side Request Forgery...
    Read more