Can OWASP ZAP be performed on a protected website?

0
votes

I am new to ZAP 2.5 and I have these questions that are yet answered as of the moment:

  1. Can ZAP be performed in a protected website? Note that I don't know what method is used to protect the website. But whenever I try to perform ZAP with it, it only checks the Log In form of the website; ZAP doesn't dig deep down. Is it normal knowing that the website is protected?
  2. I am not hacking the website; its just that my mentor wanted me to know if I or ZAP has the ability to perform security testing with our website even if it is protected. Is it really possible? If so, how?

I hope that someone would enlighten me with this, because so far, I haven't found any answers yet. Thank you!

2
securitytestingowaspzap

2 Answers

0
votes

It can. You can read read how to configure it in the manual.

0
votes

Security tools like ZAP dont work by magic. They allow you to automate repetitive tasks that would take a manual pentester much longer to perform manually.

If you have a complex login process then you will need to understand how it works in order to configure ZAP how to handle it. Proxy your browser through ZAP. Login manually and look at the requests and responses that are proxied. Try to understand how the authentication works - once you have done that you can start looking at how to automate logging in via ZAP.