What is Dynamic Security analysis ?
Dynamic application security testing (DAST) is examine the security application in the running sate and trying to poke it and prod it in unexpected ways in order to discover security vulnerabilities.[1]
What is OWASP Zap ?
The OWASP Zap attacking proxy is one of the most popular free security tool for dynamic analysis of WEB applications. Zap is supported for cross platforms.
OWSAP zap attacking proxy can be download from the official web site
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Let’s look into practical demonstration of OWASP ZAP
vulnerable image that i use in this practical can be downloaded from bellow link :
https://pentesterlab.com/exercises/from_sqli_to_shell
open zap by typing command in terminal “zaproxy” ,it’s easy than navigating through the menu.
Zap Dynamic Analysis
Tools->Options
Changing Browser Proxy Setting
Scanning
Right click on site link -> include in context -> default context
right click on site -> Attack->Ajax spider
right click on site -> Attack->spider
right click on site -> Attack->Active scan
Generating Report
Report -> Generate html Report
Demonstrating attack
XSS exploit
Sql Injection Vulnerability verification
reference
[1] https://www.veracode.com/products/dynamic-analysis-dast/dynamic-analysis