## Finding Security Misconfigurations

ZapProxy (OWASP)
- There is two way of scanning API from ZapProxy

Automated Scanning (Via YML file)
```
- Launch an automated scan and way until completing
- Select the import button and chose your YML file (This should launch a new scan)
- Relaunch a scan to expand the research
```

![[Pasted image 20221123144033.png]]


Manual Scanning (Best Option)
```
- Launch a manual scan (options)
- Once the browser open, select continue to the target
- Now, you can turn attack mode on and create an account
- Once you have an account (Valid token), you can start using spider/active scan options while your visiting each page and testing each options (like in the active reconnaissance step)
- Once done, you should have many request and website on ZAP. You can now select the website and "include in context" to only target this website (in view mode)
```

- Using a manual scan will help you find more vulnerability directly from the ZAP platform

![[Pasted image 20221123144101.png]]