handbook/tools/Others/API/Notes/2.Scanning-and-Enumeration/Scanning-API.md
2024-08-31 01:07:22 +02:00

1 KiB

Finding Security Misconfigurations

ZapProxy (OWASP)

  • There is two way of scanning API from ZapProxy

Automated Scanning (Via YML file)

- Launch an automated scan and way until completing
- Select the import button and chose your YML file (This should launch a new scan)
- Relaunch a scan to expand the research

!Pasted image 20221123144033.png

Manual Scanning (Best Option)

- Launch a manual scan (options)
- Once the browser open, select continue to the target
- Now, you can turn attack mode on and create an account
- Once you have an account (Valid token), you can start using spider/active scan options while your visiting each page and testing each options (like in the active reconnaissance step)
- Once done, you should have many request and website on ZAP. You can now select the website and "include in context" to only target this website (in view mode)
  • Using a manual scan will help you find more vulnerability directly from the ZAP platform

!Pasted image 20221123144101.png