The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
Main features are:
Intercepting proxy => Zap can see all request and responses
Active & passing scanners => active scanner performs wide range of attacks
Spider => to find page that is hidden from the user
Report Generation
Brute Force (Using OWASP DirBuser code)
Fuzzing -> To find subtle vulareabilities that normally other automated scanners cannot find
Other interesting features are:
Auto tagging => this feature tags messages in ZAP so that we can easily see for example which pages have hidden fields
Port scanner => Helps to see which ports are open on the machine
Parameter analysis => Looks through all fo the parameters in the request and finds out which are the parameters in each request
Smart card support => Useful for testing using smart cards or tokens for authentication
Session Comparison => Useful when application supports multiple roles.
External application support => To pass in urls to another application etc
API + Headless mode => ZAP can be run without the UI in headless mode and can be accessed via REST API, which is useful for automated testing
Dynamic SSL certificate => it supports dynamic SSL certificates, we can generate unique root certification authority and ask Browser to trust it to intercept HTTPS traffic.
Anti CSRF token handling => CSRF is Anti Cross Site Request Forgery tokens
To do a Penetration test, Below is the recommended way
- Configure Browser to Proxy via ZAP
- Exlore the application manually
- Use Spider to find hidden content
- See what issues were found by a passive scanner
- Use active scanner to find vulnerabilities
References:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
No comments:
Post a Comment