OWASP ZAP (Zed Attack Proxy) is a very versatile tool for web security testing. It has a proxy, passive and active vulnerability scanners, fuzzer, spider, HTTP request sender, and some other interesting features. In this recipe, we will use the recently added "Forced Browse", which is the implementation of DirBuster inside ZAP.
For this recipe to work, we need to use ZAP as a proxy for our web browser:
127.0.0.1
as the HTTP proxy and 8080 as the port. Check the option to use the same proxy for all protocols and then click on OK./usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
and click on Open.http://192.168.56.102/WackoPicko
.WackoPicko
folder inside the http://192.168.56.102
site. Then in the context menu navigate to Attack | Forced Browse directory:When we configure our browser to use ZAP as a proxy, it doesn't send the requests directly to the server that hosts the pages we want to see but rather to the address we defined, in this case the one where ZAP is listening. Then ZAP forwards the request to the server but not without analyzing the information we sent.
ZAP's Forced Browse works the same way DirBuster does; it takes the dictionary we configured and sends requests to the server, as if it was trying to browse to the files in the list. If the files exist the server will respond accordingly, if they don't exist or aren't accessible by our current user, the server will return an error.
Another very useful proxy included in Kali Linux is BurpSuite. It also has some very interesting features; one that can be used as an alternative for the Forced Browse we just used is Burp's Intruder. Although it is not specifically intended for that purpose, it is a versatile tool worth checking.
3.144.106.150