You're reading from Zed Attack Proxy Cookbook Hacking tactics, techniques, and procedures for testing web applications and APIs

Product type Paperback

Published in Mar 2023

Publisher Packt

ISBN-13 9781801817332

Length 284 pages

Edition 1st Edition

Languages

Perl

Concepts

Penetration Testing

Authors (3):

Nestor Torres

Ahmed Almoailu

Ryan Soper

View More author details

Table of Contents (14) Chapters

Preface

1. Chapter 1: Getting Started with OWASP Zed Attack Proxy

2. Chapter 2: Navigating the UI FREE CHAPTER

3. Chapter 3: Configuring, Crawling, Scanning, and Reporting

4. Chapter 4: Authentication and Authorization Testing

5. Chapter 5: Testing of Session Management

6. Chapter 6: Validating (Data) Inputs – Part 1

7. Chapter 7: Validating (Data) Inputs – Part 2

8. Chapter 8: Business Logic Testing

9. Chapter 9: Client-Side Testing

10. Chapter 10: Advanced Attack Techniques

11. Chapter 11: Advanced Adventures with ZAP

12. Index

Why subscribe?

13. Other Books You May Enjoy

The tree window

In this recipe, we are going to go over the ZAP Proxy tree window and what each section of the tree window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer. It should also be started and running.

How to do it…

In the Sites tree window, ZAP displays the sites that you have accessed and can be tested. ZAP can only attack the sites that are displayed. The sites tree window consists of two tabs: the Sites tab and the Scripts tab (shown once the + sign is selected):

Figure 2.8 – Sites tree

The Sites tab

The Sites tab is where the sites being tested will be displayed. It contains two trees: the Contexts tree and the Sites tree.

The Sites tree is where the tested sites will be listed. ZAP can only attack the sites that are in the sites tree. A unique node will be displayed for sites based on the HTTP request method and the parameter name being used.

In the Contexts tree, you can group URLs together. The best practice is to have a context for each application being tested:

Figure 2.9 – Sites tree

There are also four options that can be used:

Red target: Displays only the sites that are in scope
Window with green plus sign: Creates a new context
Window with white arrow on the left: Imports context
Window with white arrow on the right: Exports context

The Scripts tab

Once you click on the + icon (Figure 2.10), a new menu pops open allowing you to select the Scripts tab.

Figure 2.10 – The plus icon

The Scripts tab opens a tree menu with two other optional tabs. The first tab is the Scripts tab, which shows you the scripts that you already have in ZAP, organized by the type of script. The second tab is the Templates tab tree, which contains the templates that can be used to create scripts.

Figure 2.11 – The Scripts tab

In addition to the Scripts and Templates tabs, there are three options in the Scripts tree tab:

File folder: Used to load scripts from the local file storage
Floppy disc: Used to save a script to the local file storage
Scroll with +: Used to create a new script

Another prominent feature of ZAP is the Workspace window. In the next recipe, we’ll look deeper into these options.

How it works…

The entire purpose of the tree window is to help testers know what web applications have been captured, in scope or out of scope, and to quickly view the varying paths discovered during enumeration phases or fuzzing directories. It’s important here to start setting your Sites into Contexts for work later so testing is specific to your scope, as well as cutting back on some of the noise that is generated with websites connecting to other resources.