OWASP ZAP Tutorial - Part 2: Crawling

-
If you completed part one of this series, you have now successfully intercepted an HTTP request and response with OWASP ZAP. Don't you feel proud and empowered? I knew you would. But guess what? We're not done yet... not by a damn site. Now it's time to learn how to crawl a web application with ZAP. Now I know what you're thinking to your self. Your thinking, "Pablo, why do I need to crawl the site? Can't I just do an outright scan? Won't that crawl the site first anyway?" Well, the answer to your question is "yes," you can just scan the site, which usually starts with a crawl. But here is the deal, maybe you don't want to be noticed, especially if you are doing a test where stealth is important.

Have you ever worked on a blue team and had your email inbox explode with alerts because some jackhole decided to scan your company's website? If so, then you understand why running a full scan might not be desirable (you may also want to tune the tools that fired those alerts). Crawling a site is less noisy than a full scan and it also is less risky. Scans can knock down websites. Crawls are far less likely to do so. With a crawl, you can identify interesting components of a website and maybe even some directories that the designer didn't want you to know about (security through obscurity). So let's look at how to crawl with ZAP. We will build off of the work that was done in the last post.

Crawling

  1. In ZAP, right-click on the URL of the application in the Target pane (left-side of the screen). In the options that appear, choose Attack > Spider (Spider's crawl, get it?).
  2. In the Spider window, make sure that you are in the scope tab and that the scope is properly defined. For those of you that have read the last post, you know that holing up in an Equadorian consulate isn't a great career move. Leave the other options on this screen as is.


  3. While still in the spider window, click on the Advanced tab. In this screen, we will want to make some changes to how deep the crawler goes and how many children it is allowed to crawl. Failure to do this can cause the crawl to last for a very long time, and it can also cause the application to run out of resources and crash. As a rule of thumb, I set the max depth to 3 (at least to start) and the number of children to 3 as well. You can fiddle with these settings to find what works best for you. Each situation is different, so these rules certainly aren't hard rules. Leave the other settings as they are.


  4. Click the Start Scan button. While the crawl is running, expand the tree for your target and watch for any newly identified application locations or components.


  5. Note that you can pause or stop the crawl at any time by using the crawl control buttons. You can also monitor the status of the scan by watching the progress bar and the percent complete. If the scan is taking far longer than you anticipated or wanted, stop the scan and modify the settings in step 3 (smaller numbers = quicker scans but fewer details).
Well, you have successfully crawled a site with OWASP ZAP. Pop the cork on the champagne, were don... wait, what? You still want to learn how to scan? Well crap. OK, check out my next post and we will hit that topic next.

Comments

  1. AnonymousJanuary 23, 2022 at 9:43 AM

    8bitx 9.0 Mobile App
    8bitx, 8Bitdo J-pin, and the best games on mobile betway platform They william hill have been making it possible for players to make games at all times using software bet365

    ReplyDelete

Post a Comment

Popular posts from this blog

OWASP ZAP Tutorial - Part 1: Intercepting Traffic

-
Image
So you want to use OWASP's Zed Attack Proxy to intercept web requests and responses, but you don't know where to start. ZAP isn't quite as pretty as Burp and there isn't even a proxy tab that you can use to intercept traffic and monkey with the parameters! What is the deal!? OK, OK, OK, just take a chill pill there my friend. Although ZAP is a little different from Burp, I think you will find that it is just as useful, and in some cases perhaps more so. Let's jump in with a little exercise that will help you figure out the basics of this often overlooked gem. Before going any further, I am going to take a moment to warn you about testing web applications without permission; don't do it. Testing a site that is not yours is what a friend of mine has referred to as a "non-extradition country career choice" (thanks Adrien de Beupre). Equador is a lovely country, but you probably don't want to live there. Manually Intercepting HTTP Requests and
Read more

OWASP ZAP Tutorial - Part 3: Scanning

-
Image
Good day, eh. Welcome to Part 3. In this post, we will spend a little time walking through how to perform active scanning with ZAP. I'm gonna level with you, this is probably the easiest part of workin with ZAP, but it is also the most perilous. Web scanners have taken down sites, and if the scope isn't configured properly you could find yourself winning an extended stay at Club Fed (located in beautiful Leavenworth, Kansas). As always, don't scan stuff that isn't yours or that you don't have permission to scan. Got it? Good. Let's move forward. As you may or may not know, OWASP ZAP can perform two different levels of scanning: passive scanning and active scanning. Our tutorial will focus on active scanning, but I think it is worthwhile to have a brief discussion about passive scanning. Passive scanning is the scanning that takes place when ZAP is interacting with a web application through any other process other than an active scan. What this means is that
Read more