Once you have browsed through the application or run ZAP's spider against it, let's start the scan:
- Go to OWASP ZAP's Sites panel and right-click on the peruggia folder.
- From the menu, navigate to Attack | Active Scan, as shown in the following screenshot:
- A new window will pop up. At this point, we know what technologies our application and server use; so, go to the Technology tab and check only MySQL, PHP, Linux, and Apache:
Here, we can configure our scan in terms of Scope (where to start the scan, on what context, and so on), Input Vectors (select if you want to test values in GET and POST requests, headers, cookies, and other options), Custom Vectors (add specific characters or words from the original request as attack vectors), Technology (what technology-specific tests to perform), and Policy (select configuration parameters for specific tests).
- Click on Start Scan.
- The Active Scan tab will appear on the bottom panel and all the requests made during the scan will appear there.
- When the scan is finished, we can check the results in the Alerts tab, as the following screenshot shows:
If we select an alert, we can see the request made and the response obtained from the server. This allows us to analyze the attack and define whether it is a true vulnerability or a false positive. We can also use this information to fuzz, repeat the request in the browser, or to dig deeper into exploitation.
- To generate an HTML report, as with the previous tools, go to Report in the main menu and then select Generate HTML Report.
- A new dialog will ask for the filename and location. Set, for example, zapresult.html and when finished, open the file:
