How well protected are your web applications? With hacking incidents and data leakage on rise, it is now more important than ever to ask yourself this question. Hence, security testing is the perfect antidote to fixing the vulnerabilities found in web applications.
ZAP (Zed Attack Proxy) is one such open source tool used for integrated penetration testing done by developers and functional testers. An easy to use and simple tool, it offers automated scanners and a set of tools which allow you to find security vulnerabilities manually.
It offers you an easy way to quickly test a web application. Enter the URL of your target application and press the ‘Attack’ button.
It allows you to change a request or response when it has been caught by ZAP via a breakpoint. The elements which can be changed are : The header, hidden fields, disabled fields.
While the Break tab is not in use it will be in grey colour: X
It shows a list of all requests in the order which they were made. For every request, you can see:
The request index – Each request is numbered, starting at 1
The HTML method, e.g. GET or POST
The URL requested
The HTTP response code
A short summary of what the HTTP response code means
The length of time the whole request took.
Any Alerts on the request.
Any Notes you have added to request
Break Points tab
Active Scan tab
It shows you a set of unique URIs found by the Spider during the scans.The toolbar provides a set of buttons which allow you to start, stop, pause and resume the scan. A progress bar shows how far the scan of the selected site has progressed.
For each request you can see:
Processed – Whether the URI was processed by the Spider or was skipped from fetching because of a rule (e.g. it was out of scope)
Method – The HTTP method, e.g. GET or POST, through which the resource should be accessed
URI – the resource found
The Fuzzer tab shows you the requests and responses performed when you fuzz a string.
Http Sessions tab
Active Scan Rules
AJAX Spider tab
Forced Browse tab