1 00:00:00,360 --> 00:00:05,040 ‫Automated tools are an important part of pen testing of Web application. 2 00:00:06,500 --> 00:00:11,870 ‫We able to understand if there's a vulnerability on an input field, you should send thousands of different 3 00:00:11,870 --> 00:00:12,440 ‫payloads. 4 00:00:14,020 --> 00:00:19,030 ‫For example, you have to try hundreds of payloads to be sure that there is not an actual injection 5 00:00:19,030 --> 00:00:20,230 ‫vulnerability in the field. 6 00:00:21,470 --> 00:00:24,680 ‫There may be tens or hundreds of input fields in a website. 7 00:00:25,590 --> 00:00:32,610 ‫So only for the actual injection vulnerability, you have to give hundreds of thousands of tries in 8 00:00:32,610 --> 00:00:34,320 ‫a typical web application pen test. 9 00:00:36,240 --> 00:00:38,610 ‫So if you want to test the application manually. 10 00:00:39,000 --> 00:00:39,780 ‫Be my guest. 11 00:00:39,840 --> 00:00:41,540 ‫It's going to take months. 12 00:00:42,630 --> 00:00:43,800 ‫So to make it faster. 13 00:00:44,730 --> 00:00:47,130 ‫You should try using automated tools. 14 00:00:49,320 --> 00:00:56,460 ‫The OWASP Z attack proxy, otherwise known as Zap, is one of the world's most popular free security 15 00:00:56,460 --> 00:00:56,850 ‫tools. 16 00:00:57,270 --> 00:01:01,320 ‫It can help you automatically find security vulnerabilities in web applications. 17 00:01:02,870 --> 00:01:06,530 ‫So to answer your first question, what is always zap? 18 00:01:07,960 --> 00:01:11,620 ‫Zap is a tool to find the vulnerabilities in Web applications. 19 00:01:12,540 --> 00:01:14,820 ‫It's completely free and open source. 20 00:01:15,980 --> 00:01:21,140 ‫Because of the ease of use, it's ideal for people new to application security. 21 00:01:22,040 --> 00:01:27,650 ‫Zap is also a cross-platform tool, so you can use it on Windows, Linux and Macs. 22 00:01:28,670 --> 00:01:32,120 ‫It's easy to install, it requires Java to run. 23 00:01:32,570 --> 00:01:35,600 ‫Everything else is included in the standard download packages. 24 00:01:36,800 --> 00:01:41,810 ‫A full set of help files is included, and these can also be viewed on the web. 25 00:01:42,910 --> 00:01:45,430 ‫And Zap is a community project. 26 00:01:45,730 --> 00:01:50,470 ‫So there are hundreds of volunteers to improve it and to add new components on it all the time. 27 00:01:51,250 --> 00:01:55,240 ‫This app provides the essentials that you'll need for testing web applications. 28 00:01:56,440 --> 00:02:03,820 ‫First of all, it's a personal proxy to intercept and tamper with the HTTP and HTTPS traffic between 29 00:02:03,820 --> 00:02:05,110 ‫the browser and the server. 30 00:02:06,060 --> 00:02:13,440 ‫It provides both active and passive scanners, the passive scanner just examines the request and responses, 31 00:02:13,890 --> 00:02:17,790 ‫and it can detect certain types of vulnerabilities just on that basis. 32 00:02:19,120 --> 00:02:26,980 ‫It runs all the time you use app and it's safe to use on any site as it does not perform any attack 33 00:02:26,980 --> 00:02:27,490 ‫itself. 34 00:02:29,490 --> 00:02:35,880 ‫And on the other side, Active Scanner performs a range of attacks, so as you see in the next lecture, 35 00:02:35,910 --> 00:02:42,090 ‫spidering or crawling can be used to crawl the application, for example, to find pages that you've 36 00:02:42,090 --> 00:02:44,670 ‫either missed or which have been hidden from you. 37 00:02:45,990 --> 00:02:53,520 ‫Zaf can generate reports on the issues it has found, including advice and links to more information 38 00:02:53,520 --> 00:02:54,360 ‫about the problems. 39 00:02:55,770 --> 00:03:03,960 ‫They can also fuzz parameters, and you can use fuzzing to find more vulnerabilities that the automated 40 00:03:03,960 --> 00:03:06,120 ‫scanners can't necessarily find.