Basic questions before starting the first scan
573 views
Skip to first unread message
winx...@gmail.com
Apr 30, 2015, 3:05:10 AM4/30/15
to zaprox...@googlegroups.com
I would like to know few things before what is the first scan,
In the zap proxy, if i go in the "quick start" in the place of "url to attack" if i type the url and scan what would i achieve ? will i be able to find all the vulnerabilities ?
when i scan my zap proxy automated scan, how many web vulnerabilities it could able to scan ?
how do i record the username and password if my url requires to login in the first page or any other page ?
thanks in advance
winxlinx
kingthorin+owaspzap
Apr 30, 2015, 8:09:23 AM4/30/15
to zaprox...@googlegroups.com
In the zap proxy, if i go in the "quick start" in the place of "url to attack" if i type the url and scan what would i achieve ? will i be able to find all the vulnerabilities ?
This will cause the spider to attempt to crawl the site entered and run an active/passive scan.
when i scan my zap proxy automated scan, how many web vulnerabilities it could able to scan ?
That kind of depends on the size of the app, whether you've configured authentication properly, etc. Here is a list of the types of vulnerabilities ZAP can look for: https://code.google.com/p/zaproxy/wiki/FAQzaptests
how do i record the username and password if my url requires to login in the first page or any other page ?
These resources should get you started:
https://code.google.com/p/zaproxy/wiki/FAQformauth
https://www.youtube.com/watch?v=cR4gw-cPZOA
https://code.google.com/p/zaproxy/wiki/HelpStartConceptsAuthentication
https://code.google.com/p/zaproxy/wiki/FAQformauth
https://www.youtube.com/watch?v=cR4gw-cPZOA
https://code.google.com/p/zaproxy/wiki/HelpStartConceptsAuthentication
Other content that may be of interest or benefit:
https://code.google.com/p/zaproxy/wiki/Introduction?tm=6
https://code.google.com/p/zaproxy/wiki/FAQtoplevel
https://code.google.com/p/zaproxy/wiki/HelpStartStart
winx...@gmail.com
May 5, 2015, 8:25:52 AM5/5/15
to zaprox...@googlegroups.com
Hi Kingthorin,
Thanks for the response,
If i use the proxy for manual crawling and then can i disable proxy immediately before doing the active scan ?
when i make the proxy and then you use the browser,what if the browser accessed like google the default page instead of the actual site, will this be issue ? i mean will the scan happens on the google site ? or scan really happens when i run active scan only ?
winxlinx
kingthorin+owaspzap
May 5, 2015, 3:19:36 PM5/5/15
to zaprox...@googlegroups.com
You "can" disable the proxy or remove it from your browser settings at any point.
The active scan will only "scan" what you've asked it to, if you happen to ask it to scan the default context and then keep adding stuff to that context (by browsing through it) it might continue to test things you didn't intend (esp if you're using attack mode). However, that's kind of a edge case.
The active scan will only "scan" what you've asked it to, if you happen to ask it to scan the default context and then keep adding stuff to that context (by browsing through it) it might continue to test things you didn't intend (esp if you're using attack mode). However, that's kind of a edge case.
winx...@gmail.com
May 5, 2015, 10:42:16 PM5/5/15
to zaprox...@googlegroups.com
so when we use the proxy, say for example if we browse for internet site, that does not mean some scan are run on the site right ?
only we run the active scan is the matter which can do some kind of scan to the sites, right ?
Simon Bennetts
May 6, 2015, 6:09:11 AM5/6/15
to zaprox...@googlegroups.com
ZAP will _only_ attack sites that you explicitly tell it to attack.
If you proxy requests through ZAP then it will passively scan the requests and responses - but thats quite safe as it just examines them and doesnt change anything.
You have to tell ZAP to actively scan a site/subtree/url, and then ZAP will only attack the target you specify.
So it will _not_ attack the other urls you've proxied.
There is one exception to this, and thats the 'attack' mode.
In this mode ZAP still wont attack anything, unless you add it to a context that is in scope.
In attack mode ZAP will actively scan all urls that you visit that are in scope.
Note that be default nothing is in scope, so dont worry too much ;)
Just make sure that you only add urls to a context that you really want to attack.
And if you are particularly nervous about using ZAP on a particular site then just put it into Safe mode (on the main toolbar)
ZAP will then not allow you to perform any attacks :)
Cheers,
Simon
If you proxy requests through ZAP then it will passively scan the requests and responses - but thats quite safe as it just examines them and doesnt change anything.
You have to tell ZAP to actively scan a site/subtree/url, and then ZAP will only attack the target you specify.
So it will _not_ attack the other urls you've proxied.
There is one exception to this, and thats the 'attack' mode.
In this mode ZAP still wont attack anything, unless you add it to a context that is in scope.
In attack mode ZAP will actively scan all urls that you visit that are in scope.
Note that be default nothing is in scope, so dont worry too much ;)
Just make sure that you only add urls to a context that you really want to attack.
And if you are particularly nervous about using ZAP on a particular site then just put it into Safe mode (on the main toolbar)
ZAP will then not allow you to perform any attacks :)
Cheers,
Simon
winx...@gmail.com
May 8, 2015, 3:47:47 AM5/8/15
to zaprox...@googlegroups.com
Hi Simmon,
thanks for the support you guys here provide here, appreciate it.
How to access the attack mode ?
how to access the safe mode in the main toolbar ?
let me explain the way i do, correct me if that is safe, In main tool window, there is some thing called "url to attack" in the quick start window, I am just entering the local url and scan, then i will spider if i require, then i can scan right ? or attack itself already the scan ?
winxlinx
kingthorin+owaspzap
May 8, 2015, 9:15:51 AM5/8/15
to zaprox...@googlegroups.com
There's a "mode" dropdown menu on the main toolbar:
https://code.google.com/p/zaproxy/wiki/HelpStartConceptsModes
https://code.google.com/p/zaproxy/wiki/HelpUiTltoolbar
If you're using Quick Start then when you enter and URL and click "attack" ZAP spiders the site and runs it's active scan.
https://code.google.com/p/zaproxy/wiki/HelpAddonsQuickstartQuickstart
https://code.google.com/p/zaproxy/wiki/HelpStartConceptsModes
https://code.google.com/p/zaproxy/wiki/HelpUiTltoolbar
If you're using Quick Start then when you enter and URL and click "attack" ZAP spiders the site and runs it's active scan.
https://code.google.com/p/zaproxy/wiki/HelpAddonsQuickstartQuickstart
winx...@gmail.com
May 19, 2015, 2:57:48 AM5/19/15
to zaprox...@googlegroups.com
Thankyou King
Reply all
Reply to author
Forward
0 new messages