Part 4 - Spidering

Video Activity

This lesson covers active and passive spidering using the ZED attack proxy.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This lesson covers active and passive spidering using the ZED attack proxy.

Video Transcription
00:03
>> Next, we're going to check out
00:03
active and passive spidering
00:03
for the Zed Attack Proxy. Let's go check it out.
00:03
We want to close our Burp Suite because if
00:03
we open up Zed Attack Proxy,
00:03
and while Burp Suite is open,
00:03
both listeners will fight for the
00:03
127.0.0.1 address and you won't get good results.
00:03
Let's exit this and
00:03
if we try to do anything now with that closed,
00:03
you're not going to get anything because the proxy
00:03
is not listening anymore because we've turned it off.
00:03
If you wanted to go back to your normal operations,
00:03
you would go back into "Preferences",
00:03
"Settings" and use the "Auto-detect
00:03
proxy" or "User system proxy
00:03
settings" or "No proxy" to get back.
00:03
We're going to go in here
00:03
and we're going to open up our OWASP ZAP.
00:03
Just click "Start" on that,
00:03
and here we are in OWASP ZAP.
00:03
What we're going to do here is place in
00:03
our target URL, 192.168.1.12.
00:03
We're not going to do that yet
00:03
because what we're going to do is come over
00:03
here and browse the page.
00:03
Now we see a history here,
00:03
which is performing a passive spidering
00:03
like Burp Suite did.
00:03
As we click along it
00:03
populates and tells us information about that.
00:03
If we right-click on our target here,
00:03
go to "Attack" and we click
00:03
"Spider" and we want to click "Recursive".
00:03
Where we try to go through all the pages that it finds,
00:03
and then you click "Start Scan".
00:03
You can show advanced options
00:03
here and customize your options sum.
00:03
You can tell it to try to parse,
00:03
get metadata and you can
00:03
adjust what exactly it searches for here.
00:03
Then also you can tell it,
00:03
hey I want a maximum depth crawl of XML.
00:03
What that means is it will click
00:03
a link and it will follow that link
00:03
down to however many links that
00:03
you're telling it to perform a depth crawl of here.
00:03
We go back over to scope and we're going to start scan.
00:03
Now our active scan has populated it.
00:03
There was some stuff in here before
00:03
because of it's passively
00:03
scanning but now we have a full active list here.
00:03
That is how you actively scan and sort of
00:03
passively scan in OWASP ZAP.
Up Next