QuestionsandSolutionsasscreenshots:OWASPZAP
1. SettingZAPasanInterceptingproxyserver:Inoptionsmenuonhomepageofapplication,inlocalproxy,portnumbercanbechangedfortheproxy.
Innetworksettingofbrowser,proxyshouldbeenabled.
Inthehistorytab,alltherequests,responsescanbeseenwhenrequestsaremadethroughthebrowserthenandtheapplicationactsasaproxylisteningandrecordingalltherequests.Also,alertsandtagslikecookiescanbeseen.
Tocrawlawebsiteorlaunchactiveattacks,asamplewebapplicationwascreated.Thiswebapplicationrunsonjettyandisasimpleuserform
2. Crawlingyourwebapplication:Spideroptionisnowselectedafterrightclickingthewebapplication,whichcrawlsthewebsiteanddisplaysresults
Thesearetheresultsobtainedaftercrawling:
Optionsforcrawlinglikedepth,threadscanbesetupinoptionsmenu:
3. Activeattacksonwebapplicationtolookforunhandledalerts:Activescanwillscanthewebapplicationanddisplaypossiblealerts
Asexplainedintheslides,differentalertscanbecheckedinbottomleftcorner:
4. Fuzztestwebapplicationforaspecificparameter:SelectFuzztestingforyourwebapplication
Thenhighlighttheparameter,youwanttofuzzteston,likeinthebelowcaseitisusername,andselectaddpayload
Selectfilefuzzerandchoosedifferentfuzztestersavailable.Youcanchoosealltoperformextensivetestingorjustafewselectedpayloads
Youcanthenseetheresultsfordifferentpayloads.Requestsandresponsescanbeseen,anddifferentpayloadscanthusbetestedeasily.Reflectedstateindicatesthattheresponseincorrect,andthatpayloadishandledbytheapplication.
Top Related