Web Application Vulnerability Testing

ZAProxy

Posted by d3k0y on 2017-03-31 22:58:03

The OWASP Zed Attack Proxy (ZAP) is pretty damn popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. At its heart ZAP is an intercepting proxy. You need to configure your browser to connect to the web application you wish to test through ZAP. If required you can also configure ZAP to connect through another proxy – this is often necessary in a corporate environment. Once you have configured ZAP as your browser’s proxy then try to connect to the web application you will be testing. When you have successfully connected to your application via your browser then have a look at ZAP again. You should now see one or more lines in the Sites and History tabs

Some of the most significant changes include:Some of ZAP’s functionality:

Intercepting Proxy Traditional and AJAX spiders Automated scanner Passive scanner Forced browsing Fuzzer Dynamic SSL certificates Smartcard and Client Digital Certificates support Web sockets support Support for a wide range of scripting languages Plug-n-Hack support Authentication and session support Powerful REST based API Automatic updating option Integrated and growing marketplace of add-ons Some of ZAP’s characteristics:

Open source Cross platform (it even runs on a Raspberry Pi!) Easy to install (using a multi-platform installer builder) Completely free (no paid for ‘Pro’ version) Ease of use a priority Comprehensive help pages Fully internationalized Translated into over 20 languages Community based, with involvement actively encouraged Under active development by an international team of volunteers

ZAP provides the following features: Active Scan Add-ons Alerts Anti CSRF Tokens API Authentication Break Points Contexts Data Driven Content Filters Globally Excluded URLs HTTP Sessions Intercepting Proxy Modes Notes Passive Scan Scan Policies Scope Session Management Spider Statistics Structural Modifiers Structural Parameters Tags Users

download @ https://github.com/zaproxy/zaproxy/releases