ZAP Tool Information
309 views
Skip to first unread message
Basu Hunasikatti
Apr 22, 2016, 8:10:40 AM4/22/16
to OWASP ZAP User Group
Hi Simon,
I have used Zap tool and currently have few doubts regarding some functionalities.
- Individual modules added and executed Attack>Spider and Attack>Scan one after another,but it seems generated same report for all modules.
-How do I make sure whether generated report is correct ?
- How to use Passive Scanning ?
- I have added multiple contexts,how do I execute Attack>Spider and Attack>Scan to all at a time ?
- Active scan all in scope (Attack-> Active scan all in scope) is not shown in tool ?
-What are all Security Vulnerabilities ZAP Tool covers?
- Can we use ZAP as Security tool while syncing data from Salesforce to hosted platform like google apps(docs,drive etc) ?
It would be very helpful if you could share any info how to achieve that.
Thank you in advance,
Basu
Simon Bennetts
Apr 22, 2016, 8:34:12 AM4/22/16
to OWASP ZAP User Group
Hi Basu.
Replies inline:
Replies inline:
On Friday, 22 April 2016 13:10:40 UTC+1, Basu Hunasikatti wrote:
Hi Simon,I have used Zap tool and currently have few doubts regarding some functionalities.- Individual modules added and executed Attack>Spider and Attack>Scan one after another,but it seems generated same report for all modules.
The Spider is for exploring your application, and will as a side effect cause the passive scanning to occur. Active scanning performs the actual attacks.
-How do I make sure whether generated report is correct ?
Does the Sites tree look like a good representation of your application?
Does it look like its found all of the pages you would have expected it to find?
- How to use Passive Scanning ?
ZAP passively scans all of the requests proxied through it or visited by one of the spiders, so you'll be already doing that.
- I have added multiple contexts,how do I execute Attack>Spider and Attack>Scan to all at a time ?
We deliberately separate exploring from scanning as there are many different ways to explore an application. However if you use the ATTACK mode then ZAP will actively scan all of the URLS that are in scope that you explore.
- Active scan all in scope (Attack-> Active scan all in scope) is not shown in tool ?
If you have just one Context then you can scan that in one go.
-What are all Security Vulnerabilities ZAP Tool covers?
- Can we use ZAP as Security tool while syncing data from Salesforce to hosted platform like google apps(docs,drive etc) ?
We'd need to know a bit more about your application structure. You should also have permission to use tools like ZAP from whoever hosts your site(s).
FYI Salesforce support are tool called Chimera which actually uses ZAP :)
Cheers,
Simon
psiinon
Apr 22, 2016, 8:34:39 AM4/22/16
to zaprox...@googlegroups.com
Hi Basu,
I've replied to your post to the ZAP Users group.--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
OWASP ZAP Project leader
Basu Hunasikatti
Apr 22, 2016, 9:34:08 AM4/22/16
to zaprox...@googlegroups.com
Thanks Simon for your response.
I have few more doubts regarding some functionalities.
-How do I make sure whether generated report is correct ?
Simon - Does the Sites tree look like a good representation of your application ?
Basu - No,there are several links as modules in our application,If I need to test all modules then how do I attack->spider and attack->scanner and how do I verify each module is tested or not in reports.
Simon - Does it look like its found all of the pages you would have expected it to find?
Basu - All pages are not found.
- Active scan all in scope (Attack-> Active scan all in scope) is not shown in tool ?
Simon - If you have just one Context then you can scan that in one go.
Basu - 1.What is the use of Context ?
2.I have added multiple contexts but Active scan all in scope (Attack-> Active scan all in scope) is not shown in tool.
In ZAP Scanning Report,Why do URL's are repeated many times in each alert detail ?
I could not understand terms like Parameter,Evidence,Reference, CWE Id and WASC Id in ZAP Scanning Report.
What is the use of four different (Safe,Protected,Standard & Attack) modes ?
Thanks!
Basu
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/rdi7aVa0x6M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
kingthorin+owaspzap
Apr 22, 2016, 11:11:25 AM4/22/16
to OWASP ZAP User Group
1.What is the use of Context ?
Covered by the wiki and help docs: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsContexts , it's a collect of related URLs for which you want to or need to provide additional configuration details for use in your scan/assessment.
2.I have added multiple contexts but Active scan all in scope (Attack-> Active scan all in scope) is not shown in tool.
The UI has changed along the way. The multitude of menu options are no longer available. Simply start an active scan then instead of selecting a URL select a context, if you have more then one context defined you can select "Everything in Scope".
could not understand terms like Parameter,Evidence,Reference, CWE Id and WASC Id in ZAP Scanning Report.
Parameter == The parameter that was "attacked"
Evidence == Evidence that confirms or highlights the attack.
Reference == URLs that can be referred to for further information.
CWE ID == The Common Weakness Enumeration ID associated with the particular alert (https://cwe.mitre.org/)
WASC ID == The Web Application Security Consortium Threat Classification associated with the particular alert (http://projects.webappsec.org/w/page/13246978/Threat%20Classification)
Evidence == Evidence that confirms or highlights the attack.
Reference == URLs that can be referred to for further information.
CWE ID == The Common Weakness Enumeration ID associated with the particular alert (https://cwe.mitre.org/)
WASC ID == The Web Application Security Consortium Threat Classification associated with the particular alert (http://projects.webappsec.org/w/page/13246978/Threat%20Classification)
What is the use of four different (Safe,Protected,Standard & Attack) modes ?
Also covered in the wiki and help docs: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsModes
Basu Hunasikatti
Apr 22, 2016, 12:53:20 PM4/22/16
to zaprox...@googlegroups.com
Thank you very much.
kingthorin+owaspzap
Apr 22, 2016, 1:22:41 PM4/22/16
to OWASP ZAP User Group
No problem, let us know if there's anything else that you have questions about or is confusing.
Basu Hunasikatti
Apr 23, 2016, 12:01:46 AM4/23/16
to zaprox...@googlegroups.com
Ya sure..
On 22 Apr 2016 10:52 p.m., "kingthorin+owaspzap" <kingt...@gmail.com> wrote:
No problem, let us know if there's anything else that you have questions about or is confusing.
--
Basu Hunasikatti
Apr 25, 2016, 6:40:37 AM4/25/16
to zaprox...@googlegroups.com
Hi Simon,
Please look into below link.It would be very helpful if you could share any info how to achieve that.
Thank you in advance,
Basu
On Fri, Apr 22, 2016 at 10:52 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
No problem, let us know if there's anything else that you have questions about or is confusing.
--
Reply all
Reply to author
Forward
0 new messages