Recent

Scan website for vulnerabilities in Kali Linux 2.0 using Owasp-zap.

What is owasp-zap

OWASP-ZAP is a Graphical user interface tool for finding vulnerabilities in web applications.It is completely free and open source.ZAP is an easy to use tool because of it's GUI,it is used by beginners as well as professionals. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.

It is highly efficient tool not only for pen-testers also for web developers.It finds all possible vulnerabilities in your web applications. Like Sql Injection and xss vulnerability etc.

It can be used to create automated security tests.it has wide variety of tools.

Now let's do some real work so open your terminal and type:

root@seven:~# owasp-zap 

Scan Website-OWASP-ZAP

Enter url and click on attack.Wait for few minutes untill scan finishes.

enter url and click attack

You can check for sent requests and responses in the tabs.

check requests

When your Scan is finished go to the alert tab.All the vulnerabilities will be listed under alert tab.

all vulnerabilities

As you can see from the scan we have found some dangerous vulnerabilities specially sql injection and xss.

Now click on first vulnerability cross site scripting(reflected). If you dont know about xss vulnerability then check here to understand and exploit the xss vulnerability. On the left side there are various other details: risk high means that chances are high to exploit website with xss attack. website can be attacked with xss.

hackeable

Now move to the next vulnerability sql injection.It is most common vulnerability.It is really dangerous hackers can crash and steal sensitive information like usernames ,passwords,email,addresses etc..

sql injection

On the left side you can see that url with id.Now you can hack website Sql with Injection vulnerability with SQLMAP. Take the URL and from the right side as shown in the Above picture exploit with SQLMAP.

So if you are a web developer go ahead and correct your code.

X-frame-options header not set : With this vulnerability attackers can perform clickjacking. In order to avoid this You must add X-Frame-Options HTTP Response header to your page that you want to protect.

Generate reports

Owasp-zap allows us to save the results into various formats like html , xml etc.

save into a file

This is how you can scan websites for vulnerabilities with owasp-zap.This is just a place to get you started with OWASP-ZAP.Will be making more tutorials on Owasp-zap in future.

These are some basic scanning technique that you must know.I hope it helped you share it among your friends thanks.