Using OWASP ZAP to scan for vulnerabilities
OWASP ZAP is a tool that we have already used in this book for various tasks, and among its many features, it includes an automated vulnerability scanner. Its use and report generation will be covered in this recipe.
Getting ready
Before we perform a successful vulnerability scan in OWASP ZAP, we need to crawl the site:
Open OWASP ZAP and configure the Web browser to use it as proxy.
Navigate to
192.168.56.102/peruggia/.Follow the instructions from Using ZAP's spider from Chapter 3, Crawlers and Spiders.
How to do it...
Go to OWASP ZAP's Sites panel and right-click on the
peruggiafolder.From the menu, navigate to Attack | Active Scan.
A new window will pop up. At this point, we know what technology our application and server uses; so, go to the Technology tab and check only MySQL, PostgreSQL, Linux, and Apache:
Here we can configure our scan in terms of Scope (where to start the scan, on what context, and so on), Input Vectors (select if you want to test...
