PenTesting with OWASP ZAP: Mastery course

Master Security Testing with OWASP ZAP | Pentest web applications effectively

  • (5.0)

Course Overview

The ZAP is a fine-grained tool that every penetration testers, hacker, developers must have in their arsenal and hence required a solid understanding and through training to perform security testing from its core. ZAP can work with and integrate with many tools in the hacking, penetration testing segment such as SQLmap, Nmap, Burp suite, Nikto and every tool inside kali Linux. Invoking with burp gives much flexibility to combine the power of ZAP and burp suite at the same time and incomplete order.

[+] Some special features of the ZAP

·         Quickstart using “point and shoot”

·         Intercepting proxy with liked browser

·         Proxying through zap then scanning

·         Manual testing with automated testing

·         ZAP HUD mode, to test apps and attack in a single page

·         Attack modes for different use cases.

·         Active scanning with passive scanning

·         A requester for Manual testing

·         Plug-n-hack support

·         Can be easily integrated into CI/CD

·         Powerful REST-based API

·         Traditional AJAX spider

·         Support for the wide range of scripting languages

·         Smart card support

·         Port scanning

·         Parameter analysis

·         Invoking and using other apps I.e: Burp suite

·         Session management

·         Anti-CSRF token handling

·         Dynamic SSL certificates support

And much more...

[+] Course materials

·         Offline access to read PDF slides

·         8+ Hours of Videos lessons

·         Self-paced HTML/Flash

·         Access from PC, TABLETS, SMARTPHONES.

·         PDF Slide

[+] Below are the Vulnerabilities that ZAP security tests against a web application & webserver to hunt for loopholes

Path Traversal, Remote File Inclusion, Source Code Disclosure - /WEB-INF folder, Server Side Include, Cross-Site Scripting (Reflected)

Cross-Site Scripting (Persistent) - Prime, Cross-Site Scripting (Persistent) - Spider, Cross-Site Scripting (Persistent), SQL Injection

Server-Side Code Injection, Remote OS Command Injection, Directory Browsing, External Redirect, Buffer Overflow Medium

Format String Error, CRLF Injection Medium, Parameter Tampering, Script Active Scan Rules, Remote Code Execution - Shell Shock

Anti CSRF Tokens Scanner, Heartbleed OpenSSL Vulnerability, Cross-Domain Misconfiguration, Source Code Disclosure - CVE-2012-1823

Remote Code Execution - CVE-2012-1823, Session Fixation, SQL Injection - MySQL, SQL Injection - Hypersonic SQL, SQL Injection - Oracle

SQL Injection - PostgreSQL, Advanced SQL Injection, XPath Injection, XML External Entity Attack, Generic Padding Oracle

Expression Language Injection, Source Code Disclosure - SVN, Backup File Disclosure, Integer Overflow Error, Insecure HTTP Method

HTTP Parameter Pollution scanner, Possible Username Enumeration, Source Code Disclosure - Git, Source Code Disclosure - File Inclusion

Httpoxy - Proxy Header Misuse, LDAP Injection, SQL Injection - SQLite, Cross-Site Scripting (DOM Based), SQL Injection - MsSQL

Example Active Scanner: Denial of Service, An example active scan rule which loads data from a file, Cloud Metadata Potentially Exposed

Relative Path Confusion, Apache Range Header DoS, User-Agent Fuzzer, HTTP Only Site, Proxy Disclosure, ELMAH Information Leak

Trace.axd Information, .htaccess Information, .env Information Leak, XSLT Injection.

What are the requirements?

  • Understanding of Web applications

What am I going to get from this course?

  • ZAP tool mastery for security testing
  • Uncover hidden bugs and vulnerabilities
  • Invoke hacking applications in ZAP
  • Use ZAP for Bug bounty hunting
  • Penetration testing web applications
  • Use ZAP and burp suite at the same time
  • Know the hidden power of ZAP to assess web applications
  • Use SQLmap, Nmap, Nikto and all tools in kali linux with and in ZAP UI simultaneously

What is the target audience?

  • Ethical hacker
  • Web application security tester
  • Web Developer
  • Penetration tester

About the Author

We at SkillRary strive to provide simple yet powerful training or tuition on all domains. This organization has started with a mindset to share the knowledge that the internet or an individual has in a progressive manner. SkillRary is an online training programme, trying to get the best content for all on a very low cost and thereby helping everyone with a digital schooling and online education.  

SkillRary provides computer based training (CBT), distance learning or e-learning, that takes place completely on the internet. The courses involve a variety of multimedia elements, including graphics, audio, video, and web-links which can be accessed to the enrolled clients.

In addition to presenting course materials and content, SkillRary gives the students the opportunity for live interactions and real-time feedback in the form of quizzes and tests. Interactions between the instructor and students are also conducted via chat, e-mail or other web-based communication. Unlike any other, we here also let the students know which module has to be gone through first. All the modules are placed according to the lesson plans so that students will know what to refer first.

SkillRary is self-paced and customizable to suit an individual's specific learning needs. Therefore it can be conducted at any time and place, provided there is a computer or smartphone with high-speed internet access. This makes it very convenient to the users who can modify their training to fit into their day-to-day schedule. All our users will be able to use our eLearning system to its full capacity.

Course Curriculum

Introduction
1 Video Lectures | 00:23:34

  • Introduction to OWASP ZAP
    23:34
     

Configuration of ZAP
6 Video Lectures | 01:52:30

  • Installing ZAP on multi platform
    18:44
     
  • Six elements of the ZAP - Desktop UI
    12:15
     
  • ZAP marketplace and add-ons
    09:10
     
  • Scan policy manager - config
    24:49
     
  • Configuration of ZAP
    31:46
     
  • ZAP attack modes
    15:46
     

Attacking the applications with ZAP
15 Video Lectures | 04:37:56

  • Automated attacks within 5 minutes
    17:56
     
  • Spidering the target
    24:12
     
  • Fuzzing the target in action
    23:30
     
  • Active scanning the target
    22:11
     
  • Break points and Requestor - Repeater
    15:21
     
  • Authentication and session management
    25:23
     
  • Forced browsing DIRs and Files using ZAP
    12:22
     
  • Security testing in HUD mode - Heads-up display
    17:27
     
  • ZAP Scripting attacks and Recording Zest Script, Python, JavaScript
    24:13
     
  • Attack Surface Detector - SAST on ASP.NET MVC application
    18:08
     
  • Security testing with ZAP API
    15:14
     
  • Invoking applications into ZAP - SQLmap, Nmap, Nikto
    16:38
     
  • Invoking Burp suite into ZAP - Best strategy
    09:24
     
  • Other useful tools add-ons inside zap
    29:02
     
  • Generating Reports in multiple formats
    06:55
     

reviews

  • No reviews found