I was try find vulnerabilities in tha DVWA with the tool OWASP ZAP, later any try I can develop a script in python what to use the API OWASP and identify vulnerabilities.
I did make the follows steps:
1. Enable the API OWASP to let connexions and It can make the scan automate.
2. I know the parameters received by the request; It's username, password and user token.
3. I undertand the process or flow what the tool OWASP do, for example; first define the context, second run a spider then execute a scan pasive and later execute active scan, finally generate the report.
Now what I know the basic functionality of that tool, I will write a script to automate scan. I did forget say what I use the library or package zap-proxy.
1. Import the libraries
2. Create a Construct of Class with parameters
3. I did create the function to login in the web application
6. Finally I did define the functions to create the reports in format html and json.
In the window "Alertas" I can see all the vulnerabilities identify, all these haven't 100% success. I will check because it application web DVWA is behind a WAF AWS and Cloudflare.
8. In the terminal too I will see the output or step a step execute of the script in python.
No hay comentarios:
Publicar un comentario