28 lines
1 KiB
Markdown
28 lines
1 KiB
Markdown
|
|
||
|
|
## Finding Security Misconfigurations
|
||
|
|
|
||
|
|
ZapProxy (OWASP)
|
||
|
|
- There is two way of scanning API from ZapProxy
|
||
|
|
|
||
|
|
Automated Scanning (Via YML file)
|
||
|
|
```
|
||
|
|
- Launch an automated scan and way until completing
|
||
|
|
- Select the import button and chose your YML file (This should launch a new scan)
|
||
|
|
- Relaunch a scan to expand the research
|
||
|
|
```
|
||
|
|
|
||
|
|
![[Pasted image 20221123144033.png]]
|
||
|
|
|
||
|
|
|
||
|
|
Manual Scanning (Best Option)
|
||
|
|
```
|
||
|
|
- Launch a manual scan (options)
|
||
|
|
- Once the browser open, select continue to the target
|
||
|
|
- Now, you can turn attack mode on and create an account
|
||
|
|
- Once you have an account (Valid token), you can start using spider/active scan options while your visiting each page and testing each options (like in the active reconnaissance step)
|
||
|
|
- Once done, you should have many request and website on ZAP. You can now select the website and "include in context" to only target this website (in view mode)
|
||
|
|
```
|
||
|
|
|
||
|
|
- Using a manual scan will help you find more vulnerability directly from the ZAP platform
|
||
|
|
|
||
|
|
![[Pasted image 20221123144101.png]]
|