Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Features
  • Perform Web Spidering
  1. Red Team
  2. Web Hacking

OWASP ZAP

ZAP is an open-source security testing tool developed by OWASP. It is designed for finding security vulnerabilities in web applications during development and testing.

ZAP is well-supported by the OWASP community, and it's designed to be an open-source, collaborative tool for web application security testing.

Features

Automated Scanning: ZAP includes an automated scanner that identifies common vulnerabilities like XSS, SQL injection, and CSRF.

Active and Passive Scanning: ZAP can passively monitor traffic and actively scan for vulnerabilities in web applications.

Spider: It has a spidering tool that navigates through a website, discovering and mapping its structure for further testing.

Fuzzer: ZAP offers a fuzzer for automated testing of input fields with various payloads to discover vulnerabilities.

Session Management: ZAP can be used to manage and manipulate user sessions, which is useful for security testing.

Perform Web Spidering

In this process, we will employ OWASP ZAP to conduct web spidering on the target website. Attackers often resort to web spidering or crawling to uncover concealed content and functionality not accessible through the visible main content. This technique can be exploited to manipulate user privileges within the application, retrieve backup copies of live files, access configuration and log files with sensitive data, access backup archives containing file snapshots from the web root, and discover new functionality not directly linked to the main application.

Launch OWASP ZAP by opening your terminal or command prompt and typing zapproxy

After hitting Enter, the OWASP ZAP main window will appear.

Under the "Quick Start" tab, select the "Automated Scan" option found in the "Welcome to OWASP ZAP" section.

The "Automated Scan" wizard will open. In the "URL to attack" field, input the target website. Leave the other settings as default and click the "Attack" button.

OWASP ZAP will commence scanning the target website, and you can monitor the progress with various URLs listed under the "Spider" tab.

Once web spidering is complete, OWASP ZAP proceeds to active scanning. You can navigate to the "Active Scan" tab to observe the scanned links.

Upon the active scan's conclusion, the results will be displayed under the "Alerts" tab, revealing vulnerabilities and issues associated with the target website.

To view the web spidering information, click on the "Spider" tab at the lower section of the window. By default, the "URLs" tab will appear within the "Spider" tab.

For more detailed information about the URLs obtained during web spidering, navigate to the "Messages" tab under the "Spider" tab.

PreviousBurp SuiteNextWeb servers

Last updated 1 year ago