How to Use OWASP ZAP
Last modified: 2022-12-01
OWASP ZAP is an open-source web application security scanner.
Automated Scan
-
Ajax Spider
If you want to use the ajax spider with HtmlUnit (the easiest way), you may need to install the HtmlUnit.
sudo apt install libjenkins-htmlunit-core-js-java
Intercept Request
- Right-click on the URL.
- Select “Break…”
- The “Add Breakpoint” window will appear.
Manual Request
OWASP ZAP can resend a request in which you can manually edit the header like the Burp Suite’s Repeater.
- Right-click on the URL.
- Select “Open/Resend with Request Editor…”.
Brute Force Directories
- Right-click on the URL.
- Select “Attack” → “Forced Browse Site”.
- At the bottom of the panel, the Forced Browse tab will appear, then open the tab.
- Set the wordlist in the List.
- Click “Start Forced Browse”.
Brute Force Credentials
- Right-click on the URL.
- Select “Attack” → “Fuzz…”.
- The Fuzzer window will open.
- Hihglight the target value (e.g. username, password, etc.).
- Add a wordlist from local files.
- Click “Start Fuzzer”.