Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Zed Attack Proxy Cookbook

You're reading from   Zed Attack Proxy Cookbook Hacking tactics, techniques, and procedures for testing web applications and APIs

Arrow left icon
Product type Paperback
Published in Mar 2023
Publisher Packt
ISBN-13 9781801817332
Length 284 pages
Edition 1st Edition
Languages
Arrow right icon
Authors (3):
Arrow left icon
Nestor Torres Nestor Torres
Author Profile Icon Nestor Torres
Nestor Torres
Ahmed Almoailu Ahmed Almoailu
Author Profile Icon Ahmed Almoailu
Ahmed Almoailu
Ryan Soper Ryan Soper
Author Profile Icon Ryan Soper
Ryan Soper
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Chapter 1: Getting Started with OWASP Zed Attack Proxy 2. Chapter 2: Navigating the UI FREE CHAPTER 3. Chapter 3: Configuring, Crawling, Scanning, and Reporting 4. Chapter 4: Authentication and Authorization Testing 5. Chapter 5: Testing of Session Management 6. Chapter 6: Validating (Data) Inputs – Part 1 7. Chapter 7: Validating (Data) Inputs – Part 2 8. Chapter 8: Business Logic Testing 9. Chapter 9: Client-Side Testing 10. Chapter 10: Advanced Attack Techniques 11. Chapter 11: Advanced Adventures with ZAP 12. Index 13. Other Books You May Enjoy

What this book covers

Chapter 1, Getting Started with OWASP Zed Attack Proxy, introduces you to ZAP, its maintenance within the OWASP organization, its purpose in penetration testing, and how to install and configure it on various platforms, set up a basic lab environment, and use it for testing.

Chapter 2, Navigating the UI, explains how to locate and use various windows, tools, and features in ZAP for penetration testing, such as setting a target, manually exploring an application, modifying responses, and testing specific parameters with payloads.

Chapter 3, Configuring, Crawling, Scanning, and Reporting, teaches you how to configure and use the crawling, scanning, and reporting features of ZAP, understand how these sections work, set up project settings to assess an application, and customize the user options for a personalized experience.

Chapter 4, Authentication and Authorization Testing, shows you how to test and bypass authentication and authorization mechanisms, including intercepting and using default credentials, bypassing authentication, testing for default credentials, exploiting directory traversal attacks, escalating privileges, and testing for insecure direct object references.

Chapter 5, Testing of Session Management, teaches you how to manipulate the mechanism that controls and maintains the state for a user interacting with an application, covering topics such as testing cookie attributes, cross-site request forgery, exploiting logout functionality, and session hijacking.

Chapter 6, Validating (Data) Inputs – Part 1, explores the most common types of web application security weaknesses, such as cross-site scripting, HTTP verb tampering, HTTP parameter pollution, and SQL injection, and how to exploit them using ZAP.

Chapter 7, Validating (Data) Inputs – Part 2, discusses the advanced types of web application injection attacks, such as code injection, command injection, server-side template injection, and server-side request forgery, and how to exploit them using ZAP.

Chapter 8, Business Logic Testing, delves into unconventional methods for testing business logic flaws in a multifunctional dynamic web application, including forging requests, testing process timing, testing functionality limits, the circumvention of workflows, and uploading unexpected file types with malicious payloads.

Chapter 9, Client-Side Testing, covers client-side testing and the attack scenarios that come up against it, such as DOM cross-site scripting, JavaScript execution, HTML injection, URL redirect attacks, cross-origin resource sharing vulnerabilities, and the exploitation of web sockets.

Chapter 10, Advanced Attack Techniques, explores several additional advanced attacks, such as performing XXE, the exploitation of Java Web Tokens (JWT), Java deserialization, and web-cache poisoning.

Chapter 11, Advanced Adventures with ZAP, teaches you about other features and functionalities that ZAP has, such as running dynamic scans via the local API, running ZAP as a dynamic scan in a CI pipeline, and integrating and using the built-in OWASP application security out-of-band server for testing.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime