Internal Errigal Collaboration Wiki

User Tools

Site Tools

Trace:
Writing /app/www/public/data/meta/testing/penetration_testing_with_owasp_zap.meta failed
testing:penetration_testing_with_owasp_zap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
testing:penetration_testing_with_owasp_zap [2018/09/27 15:16] cokeeffetesting:penetration_testing_with_owasp_zap [2021/06/25 10:09] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +=====OSWAP Zed Attack Proxy=====
  
 +OSWAP Zed Attack Proxy (ZAP) is a penetration testing tool. We can use it to test for vulnerabilities in applications.
 +
 +====Using ZAP====
 +
 +ZAP is very quick and easy to get up and running. Download ZAP from [[https://www.zaproxy.org/|the ZAP website]], install it and start it up.
 +
 +===Quick Scan===
 +After starting you should see a quick start page similar to this:
 +{{ :testing:zap_quick_start.png?300 |}}
 +
 +
 +This (and an application to test against) is all you need to start a quick, simple test. **N.B.: Never run penetration tests against a production application, only a test instance specifically set up for this sort of testing. Don't ever run this against another company's website either.**
 +
 +To actually start a test just enter the URL of the test application into the "URL to attack" field and click the "Attack" button with the lightning bolt icon. ZAP will explore as much of the application as it can find and report back any problems it can see. If the quick start form isn't working make sure that the application mode (in the top left) is set to "Standard Mode".
 +
 +===Results===
 +{{ :testing:zap_alerts.png?200|}}After a scan any problems found will be displayed at the bottom of the screen in the "Alerts" section, along with references for more information and suggested solutions. Alerts are colour coded by severity from red (High) to blue (Informational).
 +
 +===Browser Testing===
 +ZAP won't be able to get past the login screen on its own, but you can configure your browser to use ZAP as a proxy, allowing it to intercept and analyse requests as you explore the application in the browser yourself.
 +
 +To configure go to the Options window for ZAP and go to the Dynamic SSL Certificates section. Generate a new cert and use the Save button to export it somewhere on your file system.
 +{{ :testing:zap_options_certs.png?200 |}}
 +
 +Then go to the Local Proxies section of the options and make sure the address is set to localhost and the port to a free port (default is 8080).
 +{{ :testing:zap_options_proxy.png?200 |}}
 +
 +In your browser import the certificate you saved and set the proxy to match what you configured in ZAP. How to do this depends on your browser.
 +
 +Then just explore the application on your browser as thoroughly as you can, as you do ZAP will record all requests and continue to look for vulnerabilities.
 +{{ :testing:zap_sitemap.png?200 |}}

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki