Regarding actual damage that can be done on Attack mode

[999iono...@gmail.com]

IMPORTANT: You should only use ZAP to attack an application you have permission to test with an active attack. Because this is a simulation that acts like a real attack, actual damage can be done to a site’s functionality, data, etc. If you are worried about using ZAP, you can prevent it from causing harm (though ZAP’s functionality will be significantly reduced) by switching to safe mode.

I am reading the doc here, and from this paragraph above, can you tell me what kind of actual damage? Will some data on Mysql database got corrupted, PHP files got written over, etc? And if such damage is done, what are the steps to recover from ZAP?

Iono

[Matt Seil]

Easier:  Assume total destruction.  Spin off an environment segregated from prod and test... a security testing environment if you will.  

Back everything up (vmware makes this cake) and nuke to your heart's content!`

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/655618b3-82ed-4bde-9714-806507adc153%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[999iono...@gmail.com]

Can you list me things that ZAP will do in Attack Mode? What will it modify mainly?

[Simon Bennetts]

First of all, dont panic :)
Running ZAP in attack mode against a production system is definitely not recommended, but hopefully any damage will be limited.
ZAP is a tool for good. It tries to find vulnerabilities _without_ deliberately causing damage, but there is always the possibilty that is will cause damage.

Were you authenticated when you ran ZAP?
If so, could the user you were using doing do much?
Did you perform any actions that could make changes (adding, changing or removing things) to your application?

ZAP will have run attacks on the same things you did, so thats where I'd start looking.
If you adding things in your application then ZAP will have tried things like XSS and SQL injection attacks, so you may see alert popups or SQL errors when you look at things ZAP added.

If you you didnt do much and your application does not have many vulnerabilities then you might be ok.
If you performed lots of potentially dangerous actions and your application has lots of vulnerabilities then things could be much worse.

Can you set up a safe environment and repeat roughly what you did on your production one?

Cheers,

Simon

[999iono...@gmail.com]

> Were you authenticated when you ran ZAP?

No, I just installed ZAP and tried things out as written in the tutorial. I only flipped Standard Mode to Attack Mode and click on the "Attack" button. Then, I tried the "Active Scan". I found vulnerabilities and such listed. Other than that, no, I didn't do anything else with ZAP except all I have mentioned here.

[Simon Bennetts]

Were any of the vulnerabilities considered 'high'?
As you we'rent authenticated ZAP shouldnt have been able to perform any really dangerous actions .. unless your application has serious vulnerabilities.
Have you noticed any problems when using your app since the scan?
Is there any auditing of user actions, and if so can you see if anything ZAP tried was successful?

Cheers,

Simon

[999iono...@gmail.com]

I see only one vulnerability listed as high, from an unused php file that echo $_GET["xxx"] . (Better remove that X_X )

I don't see any problem on my app yet.

[Simon Bennetts]

Hopefully your ok then.
Definitely remove that unused file, and remember to only run ZAP against non production sites in the future :)

Cheers,

Simon

[Iono]

Thank you very much, Mr. Simon. :)