Zed Attack Proxy Cookbook

Dive into security testing and web app scanning with ZAP, a world-famous OWASP security tool

Key Features

• Master ZAP to protect your systems from any type of attack
• Get hands on with cybersecurity using this step-by-step guide packed with practical examples
• Use advanced testing techniques on web applications such as XXE attacks and Java deserialization

Book Description

Security is an ever-changing, fast-paced discipline. Thankfully, there are free tools that you can use to protect your systems. OWASP Zed Attack Proxy (ZAP) is the most popular one: it allows you to test for vulnerabilities and exploits with the same functionality as a licensed tool! But how does it work?

Zed Attack Proxy Cookbook contains a vast array of practical recipes to help you set up, configure, and use ZAP to protect your vital systems from adversaries of every description. If you're interested in cybersecurity or already working as a cybersecurity professional, this book will give you mastery of this popular security tool.

You'll start with an overview of ZAP and understand how to set up a basic lab environment for the hands-on activities covered in the rest of the book. As you progress, you'll go through a myriad of step-by-step recipes detailing various types of exploits and vulnerabilities in web applications, as well as advanced techniques such as Java deserialization.

By the end of this Zap book, you'll be able to install and deploy ZAP, conduct basic to advanced web application penetration attacks, use the tool for mobile and API testing, install and deploy a BOAST server that works with ZAP, and build ZAP into a continuous integration and continuous delivery (CI/CD) pipeline, among many other things.

What you will learn

• Install ZAP on different operating systems or environments
• Find out how to crawl, passively scan, and actively scan web apps
• Discover authentication and authorization exploits
• Explore cryptography and test for business logic flaws
• Conduct client-side testing, or A/B testing
• Build an OAST server that can be used to conduct out-of-band attacks
• Extend ZAP with add-ons, and build and configure your own

Who This Book Is For

This book is for cybersecurity professionals, such as ethical hackers, application security engineers, and DevSecOps engineers. Students interested in web security, cybersecurity enthusiasts, and anyone from the open source cybersecurity community will find this book useful. A basic understanding of cybersecurity will be helpful to get the most out of this book.

Table of Contents

1. Getting Started with OWASP Zed Attack Proxy (ZAP
2. Navigating around the UI
3. Configuring, Crawling, Scanning, and Reporting
4. Authentication Testing
5. Authorization Testing
6. Testing of Session Management
7. Validating (Data) Inputs - Part 1
8. Validating (Data) Inputs - Part 2
9. Testing for Error Handling
10. Testing for Weak Cryptography
11. Business Logic Testing
12. Client-Side (A/B) Testing
13. Advanced Techniques and Other Musings
14. Creating Extensions and Add-Ons