Tag Archives: pentest

Web Application Pen testing with OWASP ZAP (liking it)

Penetration testing is one of the methods used to validate a security posture of a network or application. While not all pentests can discover everything they are good at testing what you like and sometimes what you didn’t know existed. OWASP ZAP (Zed Attack Proxy) is just one ofthe Java based tools that you can fire up fast enough and get cracking. This review isn’t going to be technical in steps and methods, at least not too deep, but will reflect on the kind of functionality and purpose you are looking for in a tool.

OWASP ZAP can be used with its proxy settings enabled so you can view, review, edit or modify text as it goes towards the target. Great for testing local encryption, SQL injection, and XSS attempts etc click jacking. When setup in the proxy settings you can test how input is sent/received and accepted and the response the server gives. A great tool for troubleshooting and hardening applications as well and testing the performance of such applications. While using this I discovered that a good youtube video showed many attacks that are possible on most database or application web sites that people just pay no mind to. It is amazing the number of subtle security flaws that if leveraged in a certain attack can lead to more and more information leakage that a cracker can grab and escalate with.

Interesting videos
OWASP ZAP Tutorials

Security Testing for Developers Using OWASP ZAP

Effective Penetration Test Survey Results – Coming Soon!!

The research is complete and I am about to post the survey results. Some companies couldn’t find it in them to participate. That’s too bad. We are all here to collectively push for perfection in our roles. While no one or company is 100% perfect all time we should work together. The mission is information security assurance and there is plenty of work out there. Those companies that did participate will have their logo represented here and a link back to their site. What is great about this research is that it is happening NOW. The timeliness is worth the price of admission. Which is free.