Bitlab
asked on
OWASP ZAP get started. Step 2.
This is a follow up to question after viewing OWASP ZAP get started.
Dear Experts.
1.a
extensions-exists-in-ver-2 .5--how-to -export-th em-to-rece nt-version .png
If I downloaded outdated version of ZAP, ~/Downloads/ZAP/ZAP_2.5.0$ ./zap.sh, why their web site offers 2,5 instead of recent and stable?
I only see 2.5: https://github.com/zaproxy/zaproxy/wiki/Downloads
Is there a newer one?
If this is a newest, why it keeps "outdated" extensions?
1.b
Which ever they are plugins or extensions, there seems no way to understand what they are doing and what is their attack scenario:
For example, this folder
/home/stan/Downloads/ZAP/Z AP_2.5.0/p lugin
contains, just a binary codes, how from binary codes one can know which vulnerability has been targeted, which is an ""International database index"" of
this vulnerability or simply what is vulnerability resproduction scenario?
2/3/4
One of your links leads to:
https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT#Extending_OWASP_ZAP_with_new_reporting_module
and it makes an impression that there is exist sort of Java library of attack scenarios. Where is this library? How to find out to which library
program the message in Alert or History tab refers. In my example of
Cross Site Scripting
POST: http://....
Attack --><script>...
Evidence --><script>...
where is this library program/scenario source code?
5. In my question 5 I am asking how to find a script. You provide and answer to the question "How to create a scrip".
aka: "New Script Button • Navigate to the Scripts tree tab".
Is this still possible to find scrips/scenarios which are used to understans what attack are going on in the out of box ZAP?
2/3/4 a.
"(reports-->"Export Responses to Files"
When I export Alert/Message to a file, it does not export the log of conversation between server and browser,
but instead it just exports the repose of the server. So, it does not show neither: Attack information, nor Evidence information.
Seems, this export very useless.
7.
"...You can write custom payload generator scripts - these can supply any payloads that you need"
Before reenventing a wheel, it seems more practical for net-admin to use already existing source codes.
Does it really that for every security-complany, they have to have programmers writing the codes for the same vulnerabil. again and again?
It seems, some of the scripts are from https://www.ida.org/
*
here is my example:
no-info-to-understand-what -is-scenar io-and-req uest-respo nse-of-sce nario.png
Thank you.
extensions-exists-in-ver-2.5--how-to.png
no-info-to-understand-what-is-scenar.png
Dear Experts.
1.a
extensions-exists-in-ver-2
If I downloaded outdated version of ZAP, ~/Downloads/ZAP/ZAP_2.5.0$
I only see 2.5: https://github.com/zaproxy/zaproxy/wiki/Downloads
Is there a newer one?
If this is a newest, why it keeps "outdated" extensions?
1.b
Which ever they are plugins or extensions, there seems no way to understand what they are doing and what is their attack scenario:
For example, this folder
/home/stan/Downloads/ZAP/Z
contains, just a binary codes, how from binary codes one can know which vulnerability has been targeted, which is an ""International database index"" of
this vulnerability or simply what is vulnerability resproduction scenario?
2/3/4
One of your links leads to:
https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT#Extending_OWASP_ZAP_with_new_reporting_module
and it makes an impression that there is exist sort of Java library of attack scenarios. Where is this library? How to find out to which library
program the message in Alert or History tab refers. In my example of
Cross Site Scripting
POST: http://....
Attack --><script>...
Evidence --><script>...
where is this library program/scenario source code?
5. In my question 5 I am asking how to find a script. You provide and answer to the question "How to create a scrip".
aka: "New Script Button • Navigate to the Scripts tree tab".
Is this still possible to find scrips/scenarios which are used to understans what attack are going on in the out of box ZAP?
2/3/4 a.
"(reports-->"Export Responses to Files"
When I export Alert/Message to a file, it does not export the log of conversation between server and browser,
but instead it just exports the repose of the server. So, it does not show neither: Attack information, nor Evidence information.
Seems, this export very useless.
7.
"...You can write custom payload generator scripts - these can supply any payloads that you need"
Before reenventing a wheel, it seems more practical for net-admin to use already existing source codes.
Does it really that for every security-complany, they have to have programmers writing the codes for the same vulnerabil. again and again?
It seems, some of the scripts are from https://www.ida.org/
*
here is my example:
no-info-to-understand-what
Thank you.
extensions-exists-in-ver-2.5--how-to.png
no-info-to-understand-what-is-scenar.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER