How well protected are your web applications? With hacking incidents and data leakage on rise, it is now more important than ever to ask yourself this question. Hence, security testing is the perfect antidote to fixing the vulnerabilities found in web applications.
ZAP (Zed Attack Proxy) is one such open source tool used for integrated penetration testing done by developers and functional testers. An easy to use and simple tool, it offers automated scanners and a set of tools which allow you to find security vulnerabilities manually.
Quick Start
It offers you an easy way to quickly test a web application. Enter the URL of your target application and press the 'Attack' button.
Sites Tab
It shows all of the URLs visited – Select any of the nodes in the tree to display the request and response for that URL in the relevant tab.
Request Tab
It shows the data sent by your browser for the request highlighted in either the Sites or History tab.
Response Tab
It shows the data sent to the browser for the request highlighted in either the Sites or History tab.
Break Tab
It allows you to change a request or response when it has been caught by ZAP via a breakpoint. The elements which can be changed are : The header, hidden fields, disabled fields.
While the Break tab is not in use it will be in grey colour: X
When a break point is hit the tab icon is changed to a red cross: :X
History Tab:
It shows a list of all requests in the order which they were made. For every request, you can see:
The request index - Each request is numbered, starting at 1
The HTML method, e.g. GET or POST
The URL requested
The HTTP response code
A short summary of what the HTTP response code means
The length of time the whole request took.
Any Alerts on the request.
Any Notes you have added to request
Any Tags on the request
Search Tab
It allows you to search for regular expressions in all of the URLs, requests, responses, headers and fuzz results.
Break Points tab
It shows all the break points that you have set. It can be set via the History and Sites tabs as well as the 'Add a custom HTTP break point' button on the top level toolbar.
Alerts tab
It shows the Alerts that have been raised in this session.Double clicking an alert will display the ‘Add Alert dialog’ which will allow you to change the alert details.
Active Scan tab
It allows you to perform an active scan on any of the sites that have been accessed.
Spider tab
It shows you a set of unique URIs found by the Spider during the scans.The toolbar provides a set of buttons which allow you to start, stop, pause and resume the scan. A progress bar shows how far the scan of the selected site has progressed.
For each request you can see:
Processed - Whether the URI was processed by the Spider or was skipped from fetching because of a rule (e.g. it was out of scope)
Method - The HTTP method, e.g. GET or POST, through which the resource should be accessed
URI - the resource found
Flags - any information about the URI (e.g. if it's a seed or why was it not processed)
Fuzzer tab
The Fuzzer tab shows you the requests and responses performed when you fuzz a string.
Params tab
This shows a summary of the parameters a site uses. Sites can be selected via the toolbar or the Sites tab.
Http Sessions tab
This tab shows you the set of identified HTTP sessions for each Site, as detected by the HTTP Sessions extension.
Active Scan Rules
This rule checks the headers of secure pages and reports an alert if they allow a browser to cache the page.
AJAX Spider tab
The AJAX Spider tab shows you the set of unique URIs found by AJAX Spider:
WebSocket tab
The WebSockets tab displays all messages from WebSocket connections. While ZAP is active, visit e.g.: Mozilla's Browser Quest to see WebSockets in action.
Forced Browse tab
The Forced Browse tab allows you to perform a browse scan on any of the sites that have been accessed.
