Penetration Testing with Zed Attack Proxy
Penetration testing is a way of identifying security weaknesses of an application. Performing this manually is not easy. There are a number of automation tools to help us in performing these test and one such easy to use and effective tool that I have tried out is the Zed Attack Proxy.
Some of the features are
Automated Scanning
Port Scanner
Spider
In this blog post I will explain the basic test that we can perform with the Zed Attack Proxy. For this task I am using a deliberately vulnerable web application deployed within the xampp server.
To start using this tool once downloaded from the OWASP projects, we need to first unzip the tool and access the home folder. within the home folder we have a shell script called zap.sh which we need to run to start the tool.
The tool also provides support for generating reports in many formats. Shown below is a HTML format report that was generated for the test conducted.
Note: Even though this is a quick way this may show false positives and is better to use a proxy over the wizard
Penetration testing is a way of identifying security weaknesses of an application. Performing this manually is not easy. There are a number of automation tools to help us in performing these test and one such easy to use and effective tool that I have tried out is the Zed Attack Proxy.
Some of the features are
Automated Scanning
Port Scanner
Spider
In this blog post I will explain the basic test that we can perform with the Zed Attack Proxy. For this task I am using a deliberately vulnerable web application deployed within the xampp server.
To start using this tool once downloaded from the OWASP projects, we need to first unzip the tool and access the home folder. within the home folder we have a shell script called zap.sh which we need to run to start the tool.
Once the ZAP proxy is loaded, at the location marked "URL to Attack", enter the URL of the test server that you want to craw and click on the "Attack" button, this will result in the proxy tool crawling through the test application to identify possible vulnerabilities by performing different type of tests.
As the below the "Active Scan" tab will show all the request generated on the application, the "Alerts" tab will list out all areas zap proxy has identified as vulnerable areas of the application.
The tool also provides support for generating reports in many formats. Shown below is a HTML format report that was generated for the test conducted.
Note: Even though this is a quick way this may show false positives and is better to use a proxy over the wizard
Comments
Post a Comment