Scribd Logo
Upload

Welcome to Scribd!

  • Zap Vuln Scanner

    Uploaded by

    stevebently934
    3 views1 page
    ZAP is an open source security scanning tool that is launched in the terminal. It presents a graphical user interface for performing vulnerability scans on websites and web applications. The document outlines how to use ZAP to perform an initial scan on a server by inputting its URL, which will generate GET and POST requests to find vulnerabilities. Upon completion, the scan results are displayed with the most severe issues at the top, and each vulnerability can be examined in more detail to view requests, responses, descriptions and solutions.

    Original Description:

    Original Title

    zap vuln scanner

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ZAP is an open source security scanning tool that is launched in the terminal. It presents a graphical user interface for performing vulnerability scans on websites and web applications. The document outlines how to use ZAP to perform an initial scan on a server by inputting its URL, which will generate GET and POST requests to find vulnerabilities. Upon completion, the scan results are displayed with the most severe issues at the top, and each vulnerability can be examined in more detail to view requests, responses, descriptions and solutions.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views1 page

    Zap Vuln Scanner

    Uploaded by

    stevebently934
    ZAP is an open source security scanning tool that is launched in the terminal. It presents a graphical user interface for performing vulnerability scans on websites and web applications. The document outlines how to use ZAP to perform an initial scan on a server by inputting its URL, which will generate GET and POST requests to find vulnerabilities. Upon completion, the scan results are displayed with the most severe issues at the top, and each vulnerability can be examined in more detail to view requests, responses, descriptions and solutions.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    ZAP can be launched by going to your terminal and typing the following:

    owasp-zap

    You will see many lines of code appearing in your terminal and a window will pop up
    with the ZAP tool. You may see an initial window with numerous updates for various
    tools used by ZAP. Simply hit the “Update All” button on the bottom right of the
    screen to update all the tools, then click Close. You will then be presented with
    the ZAP tool.

    With the server launched, we will perform an initial scan of it. Press on Quick
    Scan in the window in the top right of the tool. Input the following to begin the
    attack:

    http://10.10.16.168/

    Once this is typed in, click the Attack button at the bottom.

    When the attack button is pressed, the attack will begin. You will see a number of
    POST and GET requests being transmitted from ZAP to the server specified. There
    will also be a status bar, showing you how far through the scan the tool is.

    When the attack is finished, ZAP will display an Alerts tab. This tab will display
    all vulnerabilities and potential security issues found by the scan.

    You will see that the most severe vulnerabilities will be located at the top of the
    list. In this case, the most severe vulnerability is Medium. This can be seen by
    clicking on each vulnerability found.

    Each vulnerability category listed can be expanded, which will display each request
    and response which make up the vulnerability.

    For example, in this vulnerability, we can see that the robots.txt file is visible
    to the user. You can view this file by typing the following into your browser:

    http://10.10.16.168/robots.txt

    ZAP does a good job of detailing each vulnerability. If you click on a specific
    vulnerability, such as robots.txt, we will be presented with a range of information
    such as the severity of the vulnerability as well as a description, solution, and
    references for more information.

    We can also see the raw request and response data for each vulnerability at the top
    right of the screen, after you have clicked on a specific vulnerability.

    If we navigate to the Spider tab at the top of this bottom section, we can see the
    various pages and directories which were scanned. We can see all in-scope and “Out
    of Scope” pages here as well.

    If we navigate to the Active Scan page, we can see all of the raw GET and POST
    requests made by ZAP to the server during the scan.

    You might also like