Testing tools
We have already seen a list of various tools earlier in this chapter that we can use for performing web application security testing. In this section, we'll have a brief introduction to two such tools.
OWASP ZAP
OWASP ZAP is a multi-functional tool that can perform an array of tasks related to application security testing. It is capable of doing automated scanning as well and is extremely effective in manual testing and fuzzing. OWASP ZAP can be downloaded from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
The following image shows the initial OWASP ZAP console. The left pane displays the site hierarchy, the right pane displays individual requests and responses, and the bottom pane displays active scans:
We can either first crawl the application or directly enter the URL to attack as shown in the following image. We can see the active scan in the bottom pane and, once it is completed, we can simply click the Report
menu and select Generate HTML Report
.