Questions and Solutions as screenshots : OWASP ZAP 1. Setting ZAP as an Intercepting proxy server : In options menu on home page of application, in local proxy, port number can be changed for the proxy. In network setting of browser, proxy should be enabled.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
QuestionsandSolutionsasscreenshots:OWASPZAP
1. SettingZAPasanInterceptingproxyserver:Inoptionsmenuonhomepageofapplication,inlocalproxy,portnumbercanbechangedfortheproxy.
Innetworksettingofbrowser,proxyshouldbeenabled.
Inthehistorytab,alltherequests,responsescanbeseenwhenrequestsaremadethroughthebrowserthenandtheapplicationactsasaproxylisteningandrecordingalltherequests.Also,alertsandtagslikecookiescanbeseen.
Tocrawlawebsiteorlaunchactiveattacks,asamplewebapplicationwascreated.Thiswebapplicationrunsonjettyandisasimpleuserform
2. Crawlingyourwebapplication:Spideroptionisnowselectedafterrightclickingthewebapplication,whichcrawlsthewebsiteanddisplaysresults
Thesearetheresultsobtainedaftercrawling:
Optionsforcrawlinglikedepth,threadscanbesetupinoptionsmenu:
3. Activeattacksonwebapplicationtolookforunhandledalerts:Activescanwillscanthewebapplicationanddisplaypossiblealerts
Asexplainedintheslides,differentalertscanbecheckedinbottomleftcorner:
4. Fuzztestwebapplicationforaspecificparameter:SelectFuzztestingforyourwebapplication
Thenhighlighttheparameter,youwanttofuzzteston,likeinthebelowcaseitisusername,andselectaddpayload
Selectfilefuzzerandchoosedifferentfuzztestersavailable.Youcanchoosealltoperformextensivetestingorjustafewselectedpayloads
Youcanthenseetheresultsfordifferentpayloads.Requestsandresponsescanbeseen,anddifferentpayloadscanthusbetestedeasily.Reflectedstateindicatesthattheresponseincorrect,andthatpayloadishandledbytheapplication.
Related Documents
