Testing Website With Owasp-zap

The Google code website link: https://code.google.com/p/zaproxy/

Here is an interesting bit of info (from the link above):

ZAP came second in the Top Security Tools of 2014 as voted by ToolsWatch.org readers

owaspzapscreenshot

 

Here is a screenshot with my test on my own website – www.fixvirus.com

I clicked on the response tab after Owasp-Zap tries to execute a variety of illegal attempts on my website.

If you have a website and need this done all you need is a copy of Kali-Linux and permission to “attack” the site.

As you can see OWASP runs a variety of GET commands with some attempts at sql injection and more logic testing. It has been shown when you enter “1=1” in a form the system responding may come back with more data then it was supposed to…  why would it do that? Well for some reason the person developing the website code did not do enough security testing.

 

This is why we recommend always to have a seperate entitiy testing your website, especially if it is performing some kind of dynamic code, accesses a database, scripting (javascript), and other .net technologies.

 

This is a basic thing cybersecurity, but we want to review it with all.

 

Running a basic owasp-command is just the beginning…  After a security professional starts with that initial test, depending on the responses further tests may be warranted.

 

 

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.