SlideShare a Scribd company logo

OWSAP Zap Tool Execution - API Security Scan

Download as PPTX, PDF
P
Palani Kumar

OWASP ZAP (Zed Attack Proxy) is an open-source tool designed for web application security testing, helping users identify vulnerabilities and security issues. Key features include proxy functionality, active and passive scanning, spidering, and session management testing. Users can easily conduct automated scans to detect various issues such as SQL injection, cross-site scripting, and sensitive data exposure.

Software
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Zap Tool Execution
OWSAP ZAP OWASP Zed Attack Proxy (ZAP) is an open-source web application security testing tool developed by the Open Web Application Security Project (OWASP). It is designed to help developers, security testers, and penetration testers identify vulnerabilities and security flaws in web applications.  Why is it used?  It is a tool used to enhance the security of web applications. Just as the security expert examines your building for vulnerabilities, using OWASP ZAP anyone with the right knowledge can examine web applications for potential security flaws that could be exploited by attackers.  Scan for common security vulnerabilities, such as weak authentication mechanisms or input validation issues.  Identify security weaknesses in their web applications.  Mitigate risks by fixing the identified vulnerabilities before they can be exploited by malicious individuals.
Features of OWASP ZAP ZAP offers a wide range of features to assist in the identification and mitigation of web application vulnerabilities:  Proxy Functionality: ZAP acts as a proxy between the user's browser and the target web application, allowing it to intercept and inspect the requests and responses exchanged. This enables the user to analyze and modify the application's communication in real-time.  Active Scanning: ZAP includes a comprehensive set of active scanning tools that automatically test the target application for common security issues. These scans can help identify vulnerabilities such as cross-site scripting (XSS), SQL injection, and insecure direct object references.  Passive Scanning: In addition to active scanning, ZAP performs passive scanning by observing the application's traffic and detecting potential security weaknesses. This includes identifying sensitive information leaks, insecure cookie settings, and other issues that may not be identified through active scanning alone.  Spidering: ZAP's spidering functionality allows it to navigate through the target application, discovering and mapping out the various pages and functionalities. This helps in creating a comprehensive view of the application's structure, which is useful for testing and identifying potential vulnerabilities.  Authentication and Session Management: ZAP provides features to assist in testing authentication and session management mechanisms. It allows users to define different user roles, perform login/logout operations, and manage session tokens to test the application's security controls effectively.
ZAP Desktop UI 1. Menu Bar – Provides access to many of the automated and manual tools. 2. Toolbar – Includes buttons which provide easy access to most commonly used features. 3. Tree Window – Displays the Sites tree and the Scripts tree. 4. Workspace Window – Displays requests, responses, and scripts and allows you to edit them. 5. Information Window – Displays details of the automated and manual tools. 6. Footer – Displays a summary of the alerts found and the status of the main automated tools.
Running an Automated Scan  The easiest way to start using ZAP is via the Quick Start tab. Quick Start is a ZAP add-on that is included automatically when you installed ZAP.  To run a Quick Start Automated Scan : 1. Start ZAP and click the Quick Start tab of the Workspace Window. 2. Click the large Automated Scan button. 3. In the URL to attack text box, enter the full URL of the web application you want to attack. 4. Click the Attack
View Alerts and Alert Details  The left-hand side of the Footer contains a count of the Alerts found during your test, broken out into risk categories. These risk categories are:  To view the alerts created during your test:  Click the Alerts tab in the Information Window.  Click each alert displayed in that window to display the URL and the vulnerability detected in the right side of the Information Window.  In the Workspace Windows, click the Response tab to see the contents of the header and body of the response. The part of the response that generated the alert will be highlighted.
ZAP Tool Scan – Issues Types  ZAP can scan through the web application and detect issues related to: • SQL injection • Broken Authentication • Sensitive data exposure • Broken Access control • Security misconfiguration • Cross Site Scripting (XSS) • Insecure Deserialization • Components with known vulnerabilities • Missing security headers
OWASP Cheat Sheet Series  The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics  URL: https://cheatsheetseries.owasp.org/  We can use the above URL to fix the issues from ZAP tool scanning
Steps to Scan the Diff. JSON Step:1
Steps to Scan the Diff. JSON Step:2
Steps to Scan the Diff. JSON Step:3
Restriction Methods – Attack of ZAP Tool Resource Whitelisting Parameter Whitelisting Proper Return Type Improve / Add DTO Avoid Complex Object Parameters Attribute routing Exception Handling Taking care of response content URL and file Injection prevention

More Related Content

PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
DOCX
Demand for Penetration Testing Services.docx
Aardwolf Security
 
PPT
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
Juan Golden Tiger
 
PDF
website vulnerability scanner and reporter research paper
Bhagyashri Chalakh
 
PDF
Web app penetration testing best methods tools used
Zoe Gilbert
 
PDF
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
PDF
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
PDF
Application Security Testing Benefits Value and Tools
SofiaCarter4
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
Demand for Penetration Testing Services.docx
Aardwolf Security
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
Juan Golden Tiger
 
website vulnerability scanner and reporter research paper
Bhagyashri Chalakh
 
Web app penetration testing best methods tools used
Zoe Gilbert
 
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Application Security Testing Benefits Value and Tools
SofiaCarter4
 

Similar to OWSAP Zap Tool Execution - API Security Scan (20)

PPTX
Cyber ppt
karthik menon
 
PDF
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
DOC
Top 10 Web Vulnerability Scanners
wensheng wei
 
PDF
Bug Bounty Guide Tools and Resource.pdf
hacktube5
 
PPTX
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
PDF
Digitdefence-PPT-Web Application Penetration Testing.pdf
apurvar399
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PPTX
Security by the numbers
Eoin Keary
 
PPTX
The QA Analyst's Hacker's Landmark Tour v3.0
Rafal Los
 
PDF
vulnerability scanning and reporting tool
Bhagyashri Chalakh
 
PPTX
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
PDF
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
PDF
OWASP Secure Coding Quick Reference Guide
Aryan G
 
PDF
HP WebInspect
rohit_ta
 
PPTX
2 . web app s canners
Rashid Khatmey
 
PPTX
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
PDF
Sa No Scan Paper
tafinley
 
PDF
Penetration testing tools and phases
TestingXperts
 
PDF
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
DOCX
Vulnerability scanning project
Chirag Dhamecha
 
Cyber ppt
karthik menon
 
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
Top 10 Web Vulnerability Scanners
wensheng wei
 
Bug Bounty Guide Tools and Resource.pdf
hacktube5
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
Digitdefence-PPT-Web Application Penetration Testing.pdf
apurvar399
 
Web Application Penetration Testing Introduction
gbud7
 
Security by the numbers
Eoin Keary
 
The QA Analyst's Hacker's Landmark Tour v3.0
Rafal Los
 
vulnerability scanning and reporting tool
Bhagyashri Chalakh
 
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
OWASP Secure Coding Quick Reference Guide
Aryan G
 
HP WebInspect
rohit_ta
 
2 . web app s canners
Rashid Khatmey
 
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
Sa No Scan Paper
tafinley
 
Penetration testing tools and phases
TestingXperts
 
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Vulnerability scanning project
Chirag Dhamecha
 
Ad

Recently uploaded (20)

PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Introduction to Artificial Intelligence
lohedi9363
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Introduction Database Management System for Course Database
ReinertYosua
 
Ad

OWSAP Zap Tool Execution - API Security Scan

  • 2. OWSAP ZAP OWASP Zed Attack Proxy (ZAP) is an open-source web application security testing tool developed by the Open Web Application Security Project (OWASP). It is designed to help developers, security testers, and penetration testers identify vulnerabilities and security flaws in web applications.  Why is it used?  It is a tool used to enhance the security of web applications. Just as the security expert examines your building for vulnerabilities, using OWASP ZAP anyone with the right knowledge can examine web applications for potential security flaws that could be exploited by attackers.  Scan for common security vulnerabilities, such as weak authentication mechanisms or input validation issues.  Identify security weaknesses in their web applications.  Mitigate risks by fixing the identified vulnerabilities before they can be exploited by malicious individuals.
  • 3. Features of OWASP ZAP ZAP offers a wide range of features to assist in the identification and mitigation of web application vulnerabilities:  Proxy Functionality: ZAP acts as a proxy between the user's browser and the target web application, allowing it to intercept and inspect the requests and responses exchanged. This enables the user to analyze and modify the application's communication in real-time.  Active Scanning: ZAP includes a comprehensive set of active scanning tools that automatically test the target application for common security issues. These scans can help identify vulnerabilities such as cross-site scripting (XSS), SQL injection, and insecure direct object references.  Passive Scanning: In addition to active scanning, ZAP performs passive scanning by observing the application's traffic and detecting potential security weaknesses. This includes identifying sensitive information leaks, insecure cookie settings, and other issues that may not be identified through active scanning alone.  Spidering: ZAP's spidering functionality allows it to navigate through the target application, discovering and mapping out the various pages and functionalities. This helps in creating a comprehensive view of the application's structure, which is useful for testing and identifying potential vulnerabilities.  Authentication and Session Management: ZAP provides features to assist in testing authentication and session management mechanisms. It allows users to define different user roles, perform login/logout operations, and manage session tokens to test the application's security controls effectively.
  • 4. ZAP Desktop UI 1. Menu Bar – Provides access to many of the automated and manual tools. 2. Toolbar – Includes buttons which provide easy access to most commonly used features. 3. Tree Window – Displays the Sites tree and the Scripts tree. 4. Workspace Window – Displays requests, responses, and scripts and allows you to edit them. 5. Information Window – Displays details of the automated and manual tools. 6. Footer – Displays a summary of the alerts found and the status of the main automated tools.
  • 5. Running an Automated Scan  The easiest way to start using ZAP is via the Quick Start tab. Quick Start is a ZAP add-on that is included automatically when you installed ZAP.  To run a Quick Start Automated Scan : 1. Start ZAP and click the Quick Start tab of the Workspace Window. 2. Click the large Automated Scan button. 3. In the URL to attack text box, enter the full URL of the web application you want to attack. 4. Click the Attack
  • 6. View Alerts and Alert Details  The left-hand side of the Footer contains a count of the Alerts found during your test, broken out into risk categories. These risk categories are:  To view the alerts created during your test:  Click the Alerts tab in the Information Window.  Click each alert displayed in that window to display the URL and the vulnerability detected in the right side of the Information Window.  In the Workspace Windows, click the Response tab to see the contents of the header and body of the response. The part of the response that generated the alert will be highlighted.
  • 7. ZAP Tool Scan – Issues Types  ZAP can scan through the web application and detect issues related to: • SQL injection • Broken Authentication • Sensitive data exposure • Broken Access control • Security misconfiguration • Cross Site Scripting (XSS) • Insecure Deserialization • Components with known vulnerabilities • Missing security headers
  • 8. OWASP Cheat Sheet Series  The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics  URL: https://cheatsheetseries.owasp.org/  We can use the above URL to fix the issues from ZAP tool scanning
  • 9. Steps to Scan the Diff. JSON Step:1
  • 10. Steps to Scan the Diff. JSON Step:2
  • 11. Steps to Scan the Diff. JSON Step:3
  • 12. Restriction Methods – Attack of ZAP Tool Resource Whitelisting Parameter Whitelisting Proper Return Type Improve / Add DTO Avoid Complex Object Parameters Attribute routing Exception Handling Taking care of response content URL and file Injection prevention