I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.
Getting started with ZAP seems very obscure.
What is the difference between extensitons and plugins?
How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?
For example, after running ZAP on specific URL, there are:
Cross Site Scripting
This short log makes no sense: what was a scenario of the attack?
What was a full request and full response?
Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.
What is a content of plugin and their scenario?
Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?
What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog
7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?