Penetration testing is one of the methods used to validate a security posture of a network or application. While not all pentests can discover everything they are good at testing what you like and sometimes what you didn’t know existed. OWASP ZAP (Zed Attack Proxy) is just one ofthe Java based tools that you can fire up fast enough and get cracking. This review isn’t going to be technical in steps and methods, at least not too deep, but will reflect on the kind of functionality and purpose you are looking for in a tool.
OWASP ZAP can be used with its proxy settings enabled so you can view, review, edit or modify text as it goes towards the target. Great for testing local encryption, SQL injection, and XSS attempts etc click jacking. When setup in the proxy settings you can test how input is sent/received and accepted and the response the server gives. A great tool for troubleshooting and hardening applications as well and testing the performance of such applications. While using this I discovered that a good youtube video showed many attacks that are possible on most database or application web sites that people just pay no mind to. It is amazing the number of subtle security flaws that if leveraged in a certain attack can lead to more and more information leakage that a cracker can grab and escalate with.
OWASP ZAP Tutorials