Zapping a website - Linux Tutorial

- [Instructor] The open web application security project, OWASP provides a website vulnerability scanning tool called Zed Attack Proxy or ZAP which we can use to run vulnerability scans. While ZAP is in the Kali repository, it isn't preloaded. Let's load it. Sudo apt install zaproxy. Okay, we're now loaded and ready to go and ZAP has been added to our menus. Let's start it and see how we do a web scan looking for vulnerabilities. We can start ZAP from the application menu, web application analysis, and we see the ZAP icon is now there. ZAP's completed its base installation. We'll select no I don't want to persist the session and we're at the main menu. Running a scan is simple with ZAP. We can click on the automated scan box in the right hand panel and enter our URL to be tested. In this case, we'll enter 10.0.2.32 and we'll start the scan by clicking attack. Let's click on the site's icon on the left and we'll expand 10.0.2.32. We can see the pages being scanned. ZAP is spidering the site in preparation to doing its main scan. This also does some basic checks as it goes. If we click on alerts, we can see there's a lot of alerts being raised. We can open an alert category and we can click on the page. We can see the alert details in the right hand pane and the associated request and response packets at the right. ZAP will take a while to complete as it has to do a full spidering of the website and then run an active scan on the pages it's found to look for additional vulnerabilities. ZAP is still running and we can see that we've now started the vulnerability scan proper. As we watch the alert findings at the bottom left, we can see more being identified as the active scan proceeds. ZAP takes a while to complete, so we'll leave it here.