RedTeam
Others
API
Notes
2.Scanning-and-Enumeration
Scanning API

Finding Security Misconfigurations

ZapProxy (OWASP)

  • There is two way of scanning API from ZapProxy

Automated Scanning (Via YML file)

- Launch an automated scan and way until completing
- Select the import button and chose your YML file (This should launch a new scan)
- Relaunch a scan to expand the research

![[Pasted image 20221123144033.png]]

Manual Scanning (Best Option)

- Launch a manual scan (options)
- Once the browser open, select continue to the target
- Now, you can turn attack mode on and create an account
- Once you have an account (Valid token), you can start using spider/active scan options while your visiting each page and testing each options (like in the active reconnaissance step)
- Once done, you should have many request and website on ZAP. You can now select the website and "include in context" to only target this website (in view mode)
  • Using a manual scan will help you find more vulnerability directly from the ZAP platform

![[Pasted image 20221123144101.png]]