Collaborate Disseminate
I want to run ZAP automated scan to a web application. I have the url which is example.com/myapp. When I browse the application in burpsuite, I can see some rest endpoints being called like example.com/authz/rights-administration/.
When ru… Continue reading Running zap scan on a web application is not detecting all endpoints
I am trying to run an unauthenticated active scan of a website as part of a penetration test, and there is one form on the website on a contact page that looks like it will send emails to a singular contact. We don’t want to flood this per… Continue reading Is it possible to run an active scan against a website with Burpsuite, ZAP, or another tool that excludes form submission for a single form? [closed]
I am new to this role. So I am trying to understand a few things.
My organisation wants to evaluate the existing application according to ASVS https://github.com/OWASP/ASVS/blob/master/4.0/docs_en/OWASP%20Application%20Security%20Verificat… Continue reading Automate ASVS with ZAP
I am new to this role. So I am trying to understand a few things.
My organisation wants to evaluate the existing application according to ASVS https://github.com/OWASP/ASVS/blob/master/4.0/docs_en/OWASP%20Application%20Security%20Verificat… Continue reading Automate ASVS with ZAP
I want to run an automated REST API pentest, and I want to integrate my test into CI/CD pipeline. Note: I have the openapi specification of the APIs that I want to test.
My automated test will be divided into 2 parts:
Anti-regression test… Continue reading Which tool to use to automate REST API pentest
Using ZAP OWASP 2.13.0 and found a so-called "Remote command injection". But either in report or in Alerts the URL + query the URL does not contain attack string. Open the query in Request editor, the query is still correct.
Did … Continue reading ZAP – Remote command injection found in API but real URL not shown anywhere, in scan returns 200 but manual test returns expected 400
I’m trying to set up an authenticated scan for a webapp, lets say admin.example.com. The authentication is done by a different service login.example.com through a JSON AJAX call. After successful authentication, the login.example.com would… Continue reading ZAP authenticated scan without locking out the test user
OWASP ZAP is used to scan vulnerability on web application but its site says " Because this is a simulation that acts like a real attack, actual damage can be done to a site’s functionality, data, etc."
So why would someone use i… Continue reading Why use OWASP ZAP when it could damage the web application?
http://xxx/?-d+allow_url_include%3D1+-d+auto_prepend_file%3Dphp%3A%2F%2Finput=%27+AND+4571%3D9588+AND+%27kISD%27%3D%27kISD
(Advanced SQL Injection)
here is the ZAP description:
The page results were successfully manipulated using the boo… Continue reading Any idea why the param being modifed was removed from the HTML output in ZAP?
I recently performed a vulnerability assessment on a system using ZAP (Zed Attack Proxy) and received a finding indicating a likely SQL injection vulnerability.
The query time is controllable using parameter value [case
randomblob(1000000… Continue reading Adding Payload to URL-based SQL Injection: Seeking Guidance and Best Practices