Part 10 - Discovering SQLI

Video Activity

This lesson is about the ZAP attack proxy. Using an application, participants receive step by step instructions in how to spider a web page and then look at everything it has found. The ZAP attack proxy is able to attack any vulnerability that is present.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This lesson is about the ZAP attack proxy. Using an application, participants receive step by step instructions in how to spider a web page and then look at everything it has found. The ZAP attack proxy is able to attack any vulnerability that is present.

Video Transcription
00:03
>> Next we're going to check out the Zed Attack Proxy.
00:03
I'm going come over here in our environment,
00:03
click applications, web application analysis.
00:03
Then we're going to go and click the OWASP ZAP.
00:03
The Zed Attack Proxy has launched.
00:03
We're going to come over here to URL to attack.
00:03
I'm going to go and type in
00:03
192.168.0.11 or whatever you
00:03
have it set up as for yourself.
00:03
You're going to click attack.
00:03
Now it's going to go through,
00:03
and it's going to spider
00:03
this entire webpage for you here.
00:03
I'm going to be able to scroll down
00:03
and look at everything that it's found.
00:03
You can see here on the spider and
00:03
view pages that you might have missed,
00:03
which can come in very handy.
00:03
If we come over to active scan,
00:03
it is now actively performing
00:03
scans against this web application.
00:03
Now, the Zed Attack Proxy,
00:03
we'll launch scans against
00:03
every vulnerability that is present.
00:03
If you want to change any scam policy here,
00:03
if you want to modify your scam policy
00:03
because it's being a bit too harsh.
00:03
You can come in here and do things to the scam policy.
00:03
Such as turning different things off,
00:03
turn off the strength of
00:03
different things to better tailor your [inaudible].
00:03
This is especially helpful if you wanted to do
00:03
something like just check for SQL injection.
00:03
You can come here and be beef
00:03
it up if you wanted to and turn everything else off.
00:03
This will help you
00:03
identify just SQL injection and
00:03
>> if something is to fail,
00:03
>> you don't want to do scans
00:03
with web vulnerability scanners,
00:03
with everything firing off at
00:03
once because you can crash your server that way.
00:03
If you've already used their Attack Proxy,
00:03
you should go it through and turn all of these off.
00:03
Really just use the one scan that you want.
00:03
If you come over here and
00:03
you see that SQL injections have been found,
00:03
come over here and we click on the item.
00:03
It'll give us a URL,
00:03
give us the attack that it used and
00:03
give us some information here,
00:03
such as a description of it,
00:03
some solutions for it, and some references.
00:03
The Zed Attack Proxy is
00:03
another powerful free tool for you to
00:03
use and I highly suggest using it.
00:03
Comes pre-built in with
00:03
a whole bunch of other different tools in here.
00:03
They're really, really great to use.
00:03
I highly suggest you checking it out.
Up Next