Setup a consultation
Recent Posts
How well protected are your web applications? With hacking incidents and data leakage on rise, it is now more important than ever to ask yourself this question. Hence, security testing is the perfect antidote to fixing the vulnerabilities found in web applications.
ZAP (Zed Attack Proxy) is one such open source tool used for integrated penetration testing done by developers and functional testers. An easy to use and simple tool, it offers automated scanners and a set of tools which allow you to find security vulnerabilities manually.
It offers you an easy way to quickly test a web application. Enter the URL of your target application and press the 'Attack' button.
It shows all of the URLs visited – Select any of the nodes in the tree to display the request and response for that URL in the relevant tab.
It shows the data sent by your browser for the request highlighted in either the Sites or History tab.
It shows the data sent to the browser for the request highlighted in either the Sites or History tab.
It allows you to change a request or response when it has been caught by ZAP via a breakpoint. The elements which can be changed are : The header, hidden fields, disabled fields.
While the Break tab is not in use it will be in grey color: X
When a break point is hit the tab icon is changed to a red cross: :X
It shows a list of all requests in the order which they were made. For every request, you can see:
The request index - Each request is numbered, starting at 1
The HTML method, e.g. GET or POST
The URL requested
The HTTP response code
A short summary of what the HTTP response code means
The length of time the whole request took.
Any Alerts on the request.
Any Notes you have added to request
Any Tags on the request
It allows you to search for regular expressions in all of the URLs, requests, responses, headers and fuzz results.
It shows all the break points that you have set. It can be set via the History and Sites tabs as well as the 'Add a custom HTTP break point' button on the top level toolbar.
It shows the Alerts that have been raised in this session. Double clicking an alert will display the ‘Add Alert dialog’ which will allow you to change the alert details.
It allows you to perform an active scan on any of the sites that have been accessed.
It shows you a set of unique URIs found by the Spider during the scans. The toolbar provides a set of buttons which allow you to start, stop, pause and resume the scan. A progress bar shows how far the scan of the selected site has progressed.
For each request you can see:
Processed - Whether the URI was processed by the Spider or was skipped from fetching because of a rule (e.g. it was out of scope)
Method - The HTTP method, e.g. GET or POST, through which the resource should be accessed
URI - the resource found
Flags - any information about the URI (e.g. if it's a seed or why was it not processed)
The Fuzzer tab shows you the requests and responses performed when you fuzz a string.
This shows a summary of the parameters a site uses. Sites can be selected via the toolbar or the Sites tab.
This tab shows you the set of identified HTTP sessions for each Site, as detected by the HTTP Sessions extension.
This rule checks the headers of secure pages and reports an alert if they allow a browser to cache the page.
The AJAX Spider tab shows you the set of unique URIs found by AJAX Spider:
The WebSockets tab displays all messages from WebSocket connections. While ZAP is active, visit e.g.: Mozilla's Browser Quest to see WebSockets in action.
The Forced Browse tab allows you to perform a browse scan on any of the sites that have been accessed.
