Analysis, Editing, and Testing of Authentication Scripts with ZAP Tool

Verified

Added on 2022/08/28

AI Summary

This assignment report details the analysis, editing, and testing of authentication scripts using the Zed Attack Proxy (ZAP) tool. It begins by identifying the script type as an authentication script and explains its purpose within a context. The report then guides the user through editing the script to accept username and password parameters, along with running the script on localhost using ZAP, including screenshots and descriptions for each step. The report also covers running a penetration test using ZAP, describes the interface, and explains the automated scan process, including how to print a report detailing the vulnerabilities found. Furthermore, the assignment explores the use of HTTP sender scripts to modify HTTP messages and identify potential vulnerabilities, emphasizing the use of breakpoints to intercept and alter data parameters. The report includes detailed steps for configuration, testing, and result interpretation, providing a comprehensive guide to web application security testing using ZAP.

Running head: REPORT ON SCRIPT
By
Academic Year: 2019-20
Module: Script

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

2
BY using zed attack proxy tool
Q1- a) what type of this script?
This is an authentication script. Scripts that are conjured when verification is performed for a
Context.To be utilized, they should be chosen while designing the Script-Based
Authentication Method for a Context.
b) Edit this script to take (2) argument (parameter) username and password, and run it with
zap on localhost, add screen shot for each step and right description for each?
Today, when we put delicate informa
tion on the web, a greater amount of our consideration ought to be spent on the security
viewpoints included. We for the most part address this in various manners, by using our own
inside improvement group or by getting a group of security specialists with the essential
information on the overarching system entrance strategies of the day.
The issue with numerous designers is that they by and large just have a primary
comprehension of the different pertinent security angles included, which implies that you
should spend noteworthy assets qualifying them to the ideal level in the event that you wish
to handle your security systems in-house. Much of the time, in any case, if there is no such
aptitude in the organization, it isn't execute as a major aspect of a CI pipeline.
By the by, it is a typical event to set up and run different entrance and other testing strategies.
This is generally done upon discharge; and, the more significant the discharge, the additional
time and exertion spent on infiltration testing, which leaves the unavoidable chance of more
issues being found during testing. After the entirety of this, there is a decision to defer the

3
discharge and fix the issues experienced or to delay fixing so as to comply with the ideal time
constraint of discharge – which will perpetually bring about an expanded likelihood of a
security occurrence.
Penetration Testing Process
Pentesting typically follows these stages:
 Investigate – The analyzer endeavors to find out about the framework being tried.
This incorporates attempting to figure out what programming is being used, what
endpoints exist, what patches are introduced, and so forth. It additionally incorporates
looking the site for concealed substance, known vulnerabilities, and different signs of
shortcoming.
 Assault – The analyzer endeavors to abuse the known or suspected vulnerabilities to
demonstrate they exist.
The Docker adaptations don't expect you to introduce Java. When the establishment is
finished, dispatch ZAP and read the permit terms. Snap Agree in the event that you
acknowledge the terms, and ZAP will complete the process of introducing, at that point ZAP
will naturally begin. At the point when you first beginning ZAP, you will be inquired as to
whether you need to endure the ZAP meeting. As a matter of course, ZAP meetings are
constantly recorded to circle in a HSQLDB database with a default name and area. On the off
chance that you don't persevere the meeting, those documents are erased when you leave
ZAP. On the off chance that you decide to endure a meeting, the meeting data will be spared

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
in the nearby database so you can get to it later, and you will have the option to give custom
names and areas to sparing the records.
Step 1: Installation of ZAP
ZAP UX

5
c)print report and describe the rustle of running it?

6
This is a welcome screen. It has menubar, tree window, workspace window, information
window, footer and toolbar
Running Pen test in ZAP
The least demanding approach to begin utilizing ZAP is by means of the Quick Start tab.
Snappy Start is a ZAP add-on that is incorporated consequently when you introduced ZAP.
To run a Quick Start Automated Scan :
 Start ZAP and snap the Quick Start tab of the Workspace Window.
 Snap the enormous Automated Scan button.
 In the URL to assault content box, enter the full URL of the web application you need
to assault.
 Snap the Attack

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
On tapping on "assault" above, ZAP advances to examine the objective site for
vulnerabilities, and reports them. On the other hand, we can set up a catch on our program by
tapping on the "Dispatch Browser" button under the "Assault" button. This guarantees all the
sites visited by the program are checked for vulnerabilities each time they are visited. ZAP
continues to examine the objective site for any vulnerabilities, and found issues are sent to the
"Cautions" tab at the base window. Alarms are distinguished according to the OWASP top 10
posting of the most predominant web application vulnerabilities.

8
The screen below illustrate the the results of the attack

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10
The second found powerlessness shows the inappropriate utilization of working framework
orders inside the web application, permitting aggressors to mishandle these orders to peruse
documents contained inside the server facilitating the web application.