Monday, August 20, 2012

WebApps Pentesting with ZAP and its AJAX Spider Plugin

We recently developed a new plugin for ZAProxy that integrates a web spider called Crawljax, which is an open source Java spider of AJAX web applications.

By using the AJAX Spider plugin, we can discover the pages and dynamic-built links of a targeted web application, whose results can be later used by ZAP to find its vulnerabilities.

To set up the plugin, you have to perform the three following steps:
  1. Download the last release of ZAP from the zaproxy downloads tab. It is required ZAP>=1.4.1. 
  2. Download the AJAX Spider plugin from the zap-extensions site.
  3. Put the extension in the plugin folder of ZAP.
After this, ZAP and the AJAX Spider are ready to run. The AJAX Spider plugin can be invoked in the attack menu of the Sites Tab, as shown in [1] of the following image. The results of the crawling process will be shown in the AJAX Spider tab [2].


There are some parameters that you might want to configure before running it regarding the local proxy that ZAP creates to communicate with the crawljax instance, and regarding the crawling process:
  • In the local proxy options[1], you can configure its port an IP address.
  • In the crawler options[2], you can choose the web browser to be used by the plugin, the number of threads and the browser windows to open. You can also activate the "scan in depth option", which slows down a bit the process but improves its final results.
 This is shown in the next image:



When the process is started, a set of windows will be opened and the results will appear in the Sites tab[1] and also in the Spider Tab[2] where the found URLs can be clicked and the HTTP request and response will appear in [3].



I made a brief video that shows how to crawl a site and later use the generated web tree to find vulnerabilities in the targeted web application by using ZAP.



The plugin is still in alpha phase, if you have any comment, suggestion or question do no hesitate to contact me or to open a thread in the ZAP users' group.

Posted by Guifré Ruiz at 11:24 AM
Labels: , , , , , , ,

22 comments:

  1. AnonymousFebruary 15, 2013 at 7:51 AM

    Are there any plans to provide support for Safari Browsers .

    ReplyDelete
  2. Guifré RuizFebruary 15, 2013 at 10:20 AM

    @Anonymous: not in the near future. However, if you happen not to have chrome or firefox available, you can still use the htmlunit browser, which comes with the spider package.

    ReplyDelete
  3. VenkatApril 23, 2020 at 10:10 AM

    Super!

    Thanks a lot

    ReplyDelete
  4. electronic visa TurkeyNovember 19, 2021 at 8:08 AM

    Wow! It is a completely different topic. Great choice of Topic! You can apply for a Turkey visa online. You can get your Turkey Visa in just 1 hour by selecting the express processing type. It only takes 5 minutes to apply for an electronic visa Turkey. Apply Online.

    ReplyDelete
  5. kevinDecember 8, 2021 at 8:15 PM

    I think this is one of the most important pieces of information for me. Thanks a lot for posting.. What is FRRO Form C? The C-Form mechanism helps the authorities to locate and track foreigners in India to enhance safety & security. You can read info about FRRO Form C via India evisas guide.

    ReplyDelete
  6. India visa feesFebruary 17, 2022 at 12:28 PM

    I am happy to see your work. Some additional charges may apply in case of emergency in India visa fees.

    ReplyDelete
  7. Andre Van den bergApril 1, 2022 at 12:46 PM


    This is incredibly useful information. This article actually inspires me to follow your lead. When you are considering a trip to India, I need an India tourist visa covid, I read about this website and decided to use it. It's really good you can apply for your Indian visa online. In just a few days, I got my tourist visa to India online. When there were errors, they helped and understood the situation.

    ReplyDelete
  8. RodosqApril 8, 2022 at 10:01 AM

    İnstagram takipçi satın al! İnstagram takipçi sitesi ile takipçi satın al sende sosyal medyada fenomen olmaya bir adım at. Sende hemen instagram takipçi satın almak istiyorsan tıkla:

    1- takipçi satın al

    2- takipçi satın al

    3- takipçi satın al

    ReplyDelete
  9. evisa apply onlineJuly 21, 2022 at 8:41 AM

    Hello, I wanted to write a little Info related to Visa. Are you interested in traveling to any country? Yes, you can evisa apply online. You can fill out your visa application form online within 5 to 10 minutes via our Visacent website. We offer visas to citizens of over 190 countries. You can read more info about visas via our website.

    ReplyDelete
  10. Turkey visa applicationAugust 18, 2022 at 6:13 PM

    You are sharing a wonderful article with your audience. Readers are already enjoying it. I am here to inform the travelers who are willing to visit Turkey that they need to fill a Turkey visa application to enter Turkey. Online process makes makes easy to get evisa.

    ReplyDelete
  11. Turkey evisaAugust 22, 2022 at 10:01 AM

    That is the same thing that I am trying to find. Thanks for sharing this information… keep it up The process of e visa Turkey is easy and simple, the application form of Turkey evisa is easy to fill out for everyone, if you want to apply for a visa check out the page.

    ReplyDelete
  12. sportsbetDecember 12, 2022 at 9:31 PM

    Good content. You write beautiful things.
    vbet
    mrbahis
    hacklink
    taksi
    sportsbet
    vbet
    mrbahis
    hacklink
    korsan taksi

    ReplyDelete
  13. yBapFebruary 16, 2023 at 6:14 PM

    elf bar
    binance hesap açma
    sms onay
    4D7

    ReplyDelete
  14. Directory For PlacesMarch 16, 2023 at 11:14 AM


    A business guide provides information and guidance on various aspects of business management and ownership.

    ReplyDelete
  15. MalillkMarch 16, 2023 at 8:50 PM

    betmatik
    kralbet
    betpark
    tipobet
    slot siteleri
    kibris bahis siteleri
    poker siteleri
    bonus veren siteler
    mobil ödeme bahis
    TNLV

    ReplyDelete
  16. AnonymousMarch 26, 2023 at 9:10 AM

    Toptan vozol için buraya tıklayın: toptan vozol

    ReplyDelete
  17. MapishereApril 6, 2023 at 4:31 PM


    This way you can get a lot of information. Keep researching and reviewing.

    ReplyDelete
  18. melekJuly 11, 2023 at 2:52 AM

    elazığ
    kağıthane
    kastamonu
    nevşehir
    niğde
    yalova
    HW5ZNG

    ReplyDelete
  19. ilaydaJuly 28, 2023 at 10:05 PM

    bayrampaşa
    güngören
    hakkari
    izmit
    kumluca
    7FPİA

    ReplyDelete
  20. demetAugust 16, 2023 at 11:30 AM

    resimli magnet
    resimli magnet
    çerkezköy çatı ustası
    silivri çatı ustası
    dijital kartvizit
    VMSU6

    ReplyDelete
  21. Visa Free Countries For New Zealand CitizensSeptember 13, 2023 at 9:38 AM

    I discovered a lot of useful information in your article. Visa Free Countries For New Zealand Citizens. New Zealand citizens are fortunate to possess a passport that opens doors to a wide range of visa-free countries around the world. This remarkable privilege allows Kiwis to explore the globe with exceptional ease and convenience.

    ReplyDelete
  22. www vfsglobal com Saudi arabiaSeptember 23, 2023 at 8:21 AM

    VFS Global is a global visa and passport processing service provider. Visit www vfsglobal com Saudi arabia for information on services, appointments, and requirements related to Saudi Arabia's visa and consular services.

    ReplyDelete

Subscribe to: Post Comments (Atom)