Bitlab
asked on
OWASP ZAP get started
Dear Experts.
I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.
Getting started with ZAP seems very obscure.
1.
What is the difference between extensitons and plugins?
2.
How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?
For example, after running ZAP on specific URL, there are:
Alerts
Cross Site Scripting
POST: http://....
Attack --><script>...
Evidence --><script>...
This short log makes no sense: what was a scenario of the attack?
What was a full request and full response?
3.
Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.
4.
What is a content of plugin and their scenario?
5.
Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?
6.
What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog
7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?
Thank you.
I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.
Getting started with ZAP seems very obscure.
1.
What is the difference between extensitons and plugins?
2.
How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?
For example, after running ZAP on specific URL, there are:
Alerts
Cross Site Scripting
POST: http://....
Attack --><script>...
Evidence --><script>...
This short log makes no sense: what was a scenario of the attack?
What was a full request and full response?
3.
Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.
4.
What is a content of plugin and their scenario?
5.
Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?
6.
What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog
7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you.
ASKER
I have to rate it well, but because I feel I am rather at the beginning of the question, than to the end of an answer, I will repost my follow up in the step-2 question:
OWASP ZAP get started. Step 2.