Scribd
Upload
82 views3 pages

OWASP ZAP Testing

Uploaded by

Ali GHORBEL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
82 views3 pages

OWASP ZAP Testing

Uploaded by

Ali GHORBEL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

1.

Testing Using OWASP ZAP

In this step, we will start working with OWASP ZAP to scan ****** and exploit the
vulnerabilities found on our web application, OWASP ZAP is also known as “man-in-the-
middle proxy” it stands between the browser and the web application, as ZAP spiders the web
application it builds a map of the pages and all the features inside your web application and
capture all the actions, then attacks the website using known techniques to exploit security
vulnerabilities.
Actually, OWASP ZAP provides 2 ways to test your web application:
● Automated scan which is the easy way, you just need to provide the URL you want
to attack and launch the test.
● Manual explore which is an advanced feature that will launch a proxy browser and
will scan vulnerabilities while the user is navigating in the web application.

In the following we will be using the automated scan because it suits perfectly our needs.
We started our test on ****** website and launched the automated scan, in the screenshot
below will displays the UI of OWASP ZAP while scanning for vulnerabilities.

Figure SEQ Figure \* ARABIC 19: OWASP ZAP User Interface


After we finished the scanning process to exploit the weaknesses inside our website, we can
visualize the results inside the Alerts inside ZAP, this will help us understand better the
vulnerabilities and the level of the risk estimated by ZAP.

Figure SEQ Figure \* ARABIC 20: OWASP ZAP Alerts Feature

2. Reports creation, proposed solution

This step is the most important in all the process of the security testing which combines two
major steps in our methodology (Vulnerability analysis and reporting).
We started extracting all the information provided by OWASP ZAP after the scanning
process and we created a report containing the following:
● Name of the vulnerable parameter.
● Definition of the vulnerable parameter and what is used for
● Risk level
● Potential attack and the definition of the attack
● The way to fix the problem and prevent the attack
In this screenshot below, will displays an example from the report we created:
Figure SEQ Figure \* ARABIC 21: Report Example

You might also like