What is security testing?
Security testing is a non functional testing process used to determine that the data contained in an information system is secure and protected. Security testing also verifies that only authorized users can login to the system and there is no information leakage. We use a wide range of software, hardware and firewalls like metaspoilt, wireshark, w3af, netsparker, ZED attack proxy (ZAP) etc.
Why do we need security testing?
Principles of Security Testing
Common security threats and techniques
For example: If a user gets a database error on submitting single quotes, it means that some query input is executed by the application. Ideally it should be validated and rejected by the application.
ZAP Penetration Testing
ZAP (Zed attack proxy) is an open source penetration testing tool maintained by the Open Web Application Security Project (OWASP) to know the vulnerabilities in web applications. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination.
Using ZAP, we can perform three types of automated scanning;
How to download and run OWASP ZAP?
Before setting up proxy in ZAP, don’t forget to clear all active sessions in Firefox browser. After clearing all sessions, go to ZAP tool >> Tools Menu >> Options >> Local Proxy. Change address to 127.0.0.1 and port as 8080.
Run a Quick Start Test
To run a Quick Start test, Access the Quick Start tab of the Workspace Window and enter the URL in the attack text box. Then click the attack button. ZAP will proceed to crawl the web application with its spider, then passively scan each page it finds. The spider looks through all the responses for the vulnerabilities. Then ZAP will use the active scanner to attack all of the discovered pages, functionality, and parameters.
The security issues found by the ZAP are listed under the alerts tab.
We can see details of each attack and its response by selecting them. More details can be viewed by double clicking on the vulnerability.
Report Generation:
We can generate different types of reports from ZAP tools >> Reports. The most common types of reports generated are HTML report, XML report and Markdown report.
Finally, it should be clearly noted that the scanner detected vulnerabilities and its hazard levels may not correspond with the reality.
REFERENCES:
Du musst angemeldet sein, um einen Kommentar abzugeben.