Input vectors active scan zap owasp [closed]

1
votes

I'm a young student doing an internship in a company (and a pure beginner in the security field). And my company asked me to do security tests with zap owasp on their web application. I wanted to know what are the recommended input vectors to run an optimal active scan? I've already tried to run several active scans with as many options as possible but it never finishes because it takes hours on the first step and never finishes because I leave it running at night and when I come back it has stopped. I did a lot of research and I don't have the impression that the sites I found linger on the explanations concerning the input vectors of an active scan. On the forums people seem to talk more about input vectors through APIs. Would it be more optimal in my situation to go through the APIs?

Thank you for your attention, I hope you can advise me!

2
securityowaspzap

2 Answers

1
votes

My experience with OWASP ZAP was, that compared to Burp the tool was slower and had memory handling problems when the test took to long. You can play with choosing the technologies and server/DB types when starting an active scan, but it will probably not help if the tested application is big. I'd rather cut the pentest into smaller parts like:

  1. Choosing one dialog of the application you want to test
  2. Clicking manually through everything there is on the dialog
  3. Running the active scan and analysing the output
  4. Performing manual tests to confirm the found bugs
  5. Going back to point 1 unless there is nothing more to be tested
  6. Consolidating the test results

You should also look into the generated traffic to verify, if OWASP ZAP is running correctly and if the generated payloads make sense. A common mistake is running OWASP ZAP against an unauthenticated application or loosing the auth tokens somewhere in the middle of the test. The test does not make any sense after this happens.

2
votes

TBH input vectors are not the first place I would start. You first need to understand why ZAP is taking so long. I wrote a blog about this some time ago which is still pretty relevant: https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/

Is your site really big or does it just contain a lot of data driven content. Theres no point in scanning 100s or 1000s of pages that actually have the same code behind them. We also have a ZAP User Group on which you should get faster and more pertinant advice https://groups.google.com/group/zaproxy-users