Web Security Dynamic Analyses with OWASP ZAP

What is Dynamic Security analysis ?

Dynamic application security testing (DAST) is examine the security application in the running sate and trying to poke it and prod it in unexpected ways in order to discover security vulnerabilities.[1]

What is OWASP Zap ?

The OWASP Zap attacking proxy is one of the most popular free security tool for dynamic analysis of WEB applications. Zap is supported for cross platforms.

OWSAP zap attacking proxy can be download from the official web site

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Let’s look into practical demonstration of OWASP ZAP

vulnerable image that i use in this practical can be downloaded from bellow link :

https://pentesterlab.com/exercises/from_sqli_to_shell

1

open zap by typing command in terminal “zaproxy” ,it’s easy than navigating through the menu.

Zap Dynamic Analysis 

zap1

Tools->Options

zap2

Changing Browser Proxy Setting

zap3

 

zap4

zap5

Scanning 

Right click on site link -> include in context -> default context

zap6

right click on site -> Attack->Ajax spider

right click on site -> Attack->spider

right click on site -> Attack->Active scan

zap8

zap9

Generating Report

Report -> Generate html Report

zap scan report

Demonstrating attack

XSS exploit

ex01XXS

Sql Injection Vulnerability verification

exploit02

 

reference

[1] https://www.veracode.com/products/dynamic-analysis-dast/dynamic-analysis

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s