Header AD

how to Scan website for vulnerabilities in Kali Linux 2.0 using Owasp-zap

how to Scan website for vulnerabilities in Kali Linux 2.0 using Owasp-zap

how to Scan website for vulnerabilities in Kali Linux 2.0 using Owasp-zap
how to Scan website for vulnerabilities in Kali Linux 2.0 using Owasp-zap

What is owasp-zap

OWASP-ZAP is a Graphical user interface tool for finding vulnerabilities in web applications.It is completely free and open source.ZAP is easy to use the tool because of it's GUI, it is used by beginners as well as professionals. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.
It is a highly efficient tool not only for pen-testers also for web developers.It finds all possible vulnerabilities in your web applications. Like SQL Injection and XSS vulnerability etc.
It can be used to create automated security tests.it has a wide variety of tools.
  • Free and open source.There is no pro version
  • Intercepting proxy.Zap configure your browser to proxy through zap in that way zap sees all the requests and responses.
  • Easy to use.
  • Active and scanner.
  • A spider crawls the pages that are hidden to you.
  • Zap can brute force directories.
Now let's do some real work so open your terminal and type:
root@seven:~# owasp-zap 

Also Check: Beginners Ethical Hacking Course

Scan Website-OWASP-ZAP

Enter URL and click on the attack.Wait for few minutes until scan finishes.
enter url and click attack
You can check for sent requests and responses in the tabs.
check requests
When your Scan is finished go to the alert tab.All the vulnerabilities will be listed under the alert tab.
all vulnerabilities
As you can see from the scan we have found some dangerous vulnerabilities especially SQL injection and XSS.
Now click on first vulnerability cross-site scripting(reflected). If you don't know about XSS vulnerability then check here to understand and exploit the XSS vulnerability. On the left side, there are various other details: risk high means that chances are high to exploit web site with XSS attack. the website can be attacked with XSS.
Now move to the next vulnerability SQL injection.It is a most common vulnerability.It is really dangerous hackers can crash and steal sensitive information like usernames, passwords, email, addresses etc..
sql injection
On the left side, you can see that URL with id.Now you can hack website SQL with Injection vulnerability with SQLMAP. Take the URL and from the right side as shown in the Above picture exploit with SQLMAP.
So if you are a web developer go ahead and correct your code.
X-frame-options header not set: With this vulnerability attackers can perform clickjacking. In order to avoid this, You must add X-Frame-Options HTTP Response header to your page that you want to protect.

Generate reports

Owasp-zip allows us to save the results into various formats like HTML, XAML etc.
save into a file
This is how you can scan websites for vulnerabilities with was-zap.This is just a place to get you started with OWASP-ZAP.Will be making more tutorials on Owasp-zap in future.

So above are the . Hope you like this article, keep on sharing with others too. Also, share your experience with us in a comment box below.

No comments