ZAP: Zed Attack Proxy
Nexus scanner

ZAP is cross-platform.  It is written in Java.
Passive scanning runs automatically
There is also an active scanner.  You should only use the active scanner on your
own web site or test environment.

You should fine tune and perform manual testing as well.

// What to configure
Pages to ignores (logout, static pages that does not contain any forms)
Anti CSRF tokens
Session handling
Structure (single page apps)
Non-standard separators, e.g. aaa:bbb;ccc:ddd

Point ans shoot - the Quick Start tab
Proxy via ZAP, and then scanning
Manual peneration testing
Automated security regression tests

Vulnerability Assessment – The system is scanned and analyzed for security issues.
Penetration Testing – The system undergoes analysis and attack from simulated malicious attackers.
Runtime Testing – The system undergoes analysis and security testing from an end- user.
Code Review – The system code undergoes a detailed review and analysis looking 
    specically for security vulnerabilities.

Pentesting usually follows these stages:
Explore – The tester attempts to learn about the system being tested. This includes 
    trying to determine what software is in use, what endpoints exist, what patches are 
    installed, etc. It also includes searching the site for hidden content, known vulnerabilities, 
    and other indications of weakness.
Attack – The tester attempts to exploit the known or suspected vulnerabilities to prove they exist.
Report – The tester reports back the results of their testing, including the vulnerabilities, how 
    they exploited them and how di cult the exploits were, and the severity of the exploitation.

At its core, ZAP is what is known as an “intercepting proxy.” It stands between the tester’s browser 
and the web application so that it can intercept and inspect messages sent between browser and web 
application, modify the contents if needed, and then forward those packets on to the destination. 
In essence, ZAP can be used as a “man in the middle,” but also can be used as a stand-alone application, 
and as a daemon process.

Additional functionality is freely available from a variety of add-ons in the ZAP Marketplace, 
accessible from within the ZAP client.

When you  rst start ZAP, you will be asked if you want to persist the ZAP session. By default, ZAP 
sessions are always recorded to disk in a HSQLDB database with a default name and location. 
If you do not persist the session, those  files are deleted when you exit ZAP.

If you choose to persist a session, the session information will be saved in the local database so you can 
access it later, and you will be able to provide custom names and locations for saving the  files.

Before you can begin to run pentests with ZAP, you have to con gure your browser to use ZAP as 
its proxy. By default, ZAP uses localhost:8080

To switch ZAP to safe mode, click the arrow on the mode dropdown on the main toolbar to expand the 
dropdown list and select Safe Mode.

// To run a Quick Start test:
1. Start ZAP and click the Quick Start tab of the Workspace Window.
2. In the URL to attack text box, enter the full URL of the web application you want to attack.
3. Click the Attack button.

One way to expand and improve your testing is to change the spider ZAP is using to explore your 
web application. Quick Scan uses the traditional ZAP spider, which discovers links by examining 
the HTML in responses from the web application. This spider is fast, but it is not always effective 
when exploring an AJAX web application that generates links using JavaScript.

For AJAX applications, ZAP’s AJAX spider is likely to be more e ective. This spider explores the 
web application by invoking browsers which then follow the links that have been generated. 
The AJAX spider is slower than the traditional spider and requires additional con guration for use 
in a “headless” environment.

A simple way to switch back and forth between spiders is to enable a tab for each spider in the 
Information Window and use that tab to launch scans.

1. In the Information Window, click the green plus sign (+).
2. Click Spider to create a Spider tab.
3. Repeat step 1, then click AJAX Spider to create an AJAX Spider tab.
4. Click the push-pin symbol on both the Spider and AJAX Spider tabs to pin them to the Information Window.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License