How to scan CMS admin panel?
227 views
Skip to first unread message
Henry Polesinuasi
Dec 19, 2015, 4:44:58 PM12/19/15
to OWASP ZAP User Group
Hello,
how to scan Content management systems admin panels for vulnerabilities, when I put localhost/admin/dashboard.php and press attack it just scans admin login. ZAP does not go past that login. I have created new user and add password etc.
how to scan Content management systems admin panels for vulnerabilities, when I put localhost/admin/dashboard.php and press attack it just scans admin login. ZAP does not go past that login. I have created new user and add password etc.
Simon Bennetts
Dec 21, 2015, 8:31:57 AM12/21/15
to OWASP ZAP User Group
Have a look at this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
And ask here if you still need some help after that.
Cheers,
Simon
And ask here if you still need some help after that.
Cheers,
Simon
Henry Polesinuasi
Dec 27, 2015, 11:55:27 AM12/27/15
to OWASP ZAP User Group
Thank you!
I had already fully filled session properties (included user and authentication method (form based). etc.)
When I used quick start it did not scan admin panel. Even when tried scan admin/index.php it did not login.
What worked for me was. making it login form and scanning admin folder.
I mean after you quick scan the website structure is shown in ZAP:
localhost
-cms
index.php
--admin (click on folder as scan as spider first)
--index.php
-- index.php with form like username password etc. ( mark it as login form. scanning this did not work)
I had already fully filled session properties (included user and authentication method (form based). etc.)
When I used quick start it did not scan admin panel. Even when tried scan admin/index.php it did not login.
What worked for me was. making it login form and scanning admin folder.
I mean after you quick scan the website structure is shown in ZAP:
localhost
-cms
index.php
--admin (click on folder as scan as spider first)
--index.php
-- index.php with form like username password etc. ( mark it as login form. scanning this did not work)
Michael Courcy
Dec 27, 2015, 7:40:44 PM12/27/15
to OWASP ZAP User Group
Hi
Doing that recently with drupal I had the same problem. Sometimes Zap send 2 cookie header line and the server refuse to see you as "normally" logged.
Have a look here https://github.com/zaproxy/zaproxy/issues/1874 maybe you're in this case.
Cheers
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Courcy
Reply all
Reply to author
Forward
0 new messages