Hướng dẫn cài đặt react native Informational, Commercial
The Zed Attack Proxy (ZAP) is an open source tool to help developers and testers to find vulnerabilities in web application. It maintained under Open Web Application Security Project (OWASP). The features and capabilities of ZAP has been in performing manual or automated pen test. This article, I will be throwing overview and some features that make ZAP for any security tester. Show
1. Installation and configuration of ZAP1.1 Setting up your ZAP Environment
1.2 Introduction to ZAP UI - Starting OWASP ZAP
The ZAP Desktop UI is composed of the following elements:
1.3 Running an Automated ScanThe easiest way to start using ZAP is via the Start tab. Quick Start is a ZAP add-on that is included automatically when you installed ZAP. To run a Quick Start Automated Scan:
You choose automate scan from Quick Start panel → Automated Scan Adding URL that you want to test, for example https://tiki.vn/ Tick “Use ajax spider” option if you like after that clicking on button [Attack] and acting scan. 1.4 Running an Manual ScanSpiders are a great way to explore your basic site, but they should be combined with manual exploration to be more effective. Spiders, for example, will only enter basic default data into forms in your web application but a user can enter more relevant information which can, in turn, expose more of the web application to ZAP. 2. Adding a site to the testing scopeConfig proxy Close all active Firefox browser sessions ZAP tool -> Tools Menu -> Options -> Local Proxy -> Change Address = 127.0.0.1 Port = 8080. Mozilla browser -> Tools Menu -> Options -> Advanced tab -> Network -> Settings -> Select Manual Proxy configuration:- HTTP Proxy = 127.0.0.1 Port = 8080. 3. Main Features- Intercepting Proxy - Active and Passive Scanners - Spider - Report Generation - Brute Force (using OWASP DirBuster code) - Fuzzing (using fuzzdb & OWASP JBroFuzz) - Extensibility: code.google.com/p/zap-extensions/ The Additional Features - Auto tagging - Port scanner - Parameter analysis - Smart card support - Session comparison - Invoke external apps - API + headless mode - Dynamic SSL Certificates - Anti CSRF token handling. 4. ZAP add-ons- There are a lot of add-ons which you can find in marketplace. - ZAP provide a lot of functionalities to do pen testing. - From the tools panel → choose Manage add-ons. 5. ScannerZAP provides 2 spiders for crawling web applications. If the web application does not build on AJAX technology, use traditional spider will be faster. ZAP will use the active scanner to attack all of the discovered pages, functionality and parameters. How to know if your website use AJAX
6. FuzzerFuzzing, or fuzz testing, is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified, or fuzzed, inputs. Fuzzing is the art of automatic bug finding, and it’s role is to find software implementation faults, and identify them if possible. Refer to zap-fuzzing document for more details. How to use Fuzzer in ZAP: Right click a request -> Hover on Attack and click on Fuzz. We can execute some types from payload by right-click on frame and select “Syntax” to choose “Plain” Click on button [Add] to config data and exploiting how the server reacts invalid data. 7. AlertsAn alert is a potential vulnerability and is associated with a specific request. Alerts are shown in the UI with a flag indicating the risk: Refer to Alerts document for more details. 8.Result & ReportScanned your website to find vulnerabilities. Below is 4 alerts with colorized flags. If Scanned have no red flag, the website are lucky. Besides, red flags are fixed asap. You can export reports as HTML, XML, JSON, …and I generated a HTML report. You can see final report as below. 9. A simple Penetration Test- Configure your browser to proxy via ZAP - Explore the application manually - Use the Spider to find 'hidden' content - See what issues the Passive Scanner has found - Use the Active Scanner to find vulnerabilities 10. What Is the Difference Between Active & Passive Scan?Active Scan Passive Scan Attacks the website using known techniques to find vulnerabilities. Response and checks vulnerabilities. Can modify data and can insert malicious scripts to the website. Can’t modify your website data. Only run the active scan for the sites you have permission! Be aware that you cannot detect even a SQL Injection. ... ... Referencehttps://www.youtube.com/watch?v=eH0RBI0nmww&list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB&index=1 https://medium.com/volosoft/running-penetration-tests-for-your-website-as-a-simple-developer-with-owasp-zap-493d6a7e182b |