1- Passive Scan & Basic Reporting -Automated Security Testing using Java, zap-ClientApi-OWASP ZAP

-------------------------------------------------------------------

For notes and source code of the demo, please refer to-https://github.com/atulsharmacsk/OWAS...

For entire series please refer to-
   • OWASP ZAP- Security Testing and its A...  

Topics covered in this video-
- Overview of OWSAP ZAP.
- Setup of proxy and project.
- Performing passive scan on any application and dynamically waiting till the scan is completed.
- Creating scan report.

--------------------------------------------------------------------------------------------------------------------------------------
The OWASP Zed Attack Proxy is a free security tool which acts as a proxy between browser and network, find security issues in web applications & report them to the end user.

ZAP by default passively scans all HTTP messages (requests and responses) sent to the web application being tested. Passive scanning does not change the HTTP messages. Active scanning attempts to find potential issues by using known attacks against the selected targets. Active scanning is an attack on those targets.

Penetration testing can never be done without taking permission from the owner of the web apps.

Tools used:- IntelliJ, Java, Maven, TestNG

--------------------------------------------------------------------------------------------------------------------------------------

Glimpse of upcoming topics that we will cover on this topic:-

Overview of the reporting capabilities.
Site tree-Adding a url, verifying the added urls, removing the urls from site tree.
Running an active scan and waiting till the scan is completed.
Running both passive and Active scan & creating separate reports for both.
Setting up postman for zap client end points.
Using Restassured as another approach for interacting with zapClient api.