1
  1. Этот сайт использует файлы cookie. Продолжая пользоваться данным сайтом, Вы соглашаетесь на использование нами Ваших файлов cookie. Узнать больше.
Приветствуем вас,Гость, на форуме IFUD.WS. Обязательно рекомендуется к прочтению правила форума http://ifud.ws/threads/obnovleno-pravila-foruma.7759

OWASP ZAP 2.4.0 - Penetration Testing Tool for Testing Web Applications

Тема в разделе "Софт [Все программы]", создана пользователем bios, 21 апр 2015.

  1. TopicStarter Overlay
    bios

    bios

    Регистрация:
    22 июн 2012
    Сообщения:
    539
    Симпатии:
    622
    [​IMG]

    The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

    It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

    Release 2.4.0

    ZAP 2.4.0 has been released, which includes:

    Attack Mode
    Advanced Fuzzing
    Scan Policies
    Scan Dialogs with Advanced Options
    Hiding Unused Tabs
    New Add-ons
    New Scan Rules
    Changed Scan Rules
    More User Interface Changes
    Extended API Support
    Internationalized Help Add-ons

    ‘Attack’ Mode
    A new ‘attack’ mode has been added that means that applications that you have specified are in scope are actively scanned as they are discovered.

    Advanced Fuzzing
    A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time, as well as introducing new attack payloads including the option to use scripts for generating the payloads as well as pre and post attack manipulation and analysis.

    Scan Policies
    Scan policies define exactly which rules are run as part of an active scan.
    They also define how these rules run influencing how many requests are made and how likely potential issues are to be flagged.
    The new Scan Policy Manager dialog allows you to create, import and export as many scan policies as you need. You select any scan policy when you start an active scan and also specify the one used by the new attack mode.
    Scan policy dialog boxes allow sorting by any column, and include a quality column (indicating if individual scanners are Release, Beta, or Alpha quality).

    Scan Dialogs with Advanced Options
    New Active Scan and Spider dialogs have replaced the increasing number of right click 'Attack' options. These provide easy access to all of the most common options and optionally a wide range of advanced options.

    Hiding Unused Tabs
    By default only the essential tabs are now shown when ZAP starts up.
    The remaining tabs are revealed when they are used (e.g. for the spider and active scanner) or when you display them via the special tab on the far right of each window with the green '+' icon. This special tab disappears if there are no hidden tabs.
    Tabs can be closed via a small 'x' icon which is shown when the tab is selected.
    Tabs can also be 'pinned' using a small 'pin' icon that is also shown when the tab is selected - pinned tabs will be shown when ZAP next starts up.

    New Add-ons
    Two significant new ‘alpha’ quality add-ons are available:

    Access Control Testing: adds the ability to automate many aspects of access control testing.
    Sequence Scanning: adds the ability to scan 'sequences' of web pages, in other words pages that must be visited in a strict order in order to work correctly.

    These can both be downloaded from the ZAP Marketplace.

    New Scan Rules
    A number of significant new ‘alpha’ quality scanners are available:

    Relative Path Confusion: Allows ZAP to scan for issues that may result in XSS, by detecting if the browser can be fooled into interpreting HTML as CSS.
    Proxy Disclosure: Allows ZAP to detect forward and reverse proxies between the ZAP instance and the origin web server / application server.
    Storability / Cacheability: Allows ZAP to passively determine whether a page is storable by a shared cache, and whether it can be served from that cache in response to a similar request. This is useful from both a privacy and application performance perspective. The scanner follows RFC 7234.

    Support has also been added for Direct Web Remoting as an input vector for all scan rules.

    Changed Scan Rules

    External Redirect: This plugin’s ID has been changed from 30000 to 20019, in order to more closely align with the established groupings. (This change may be of importance to **API Users**). Additionally some minor changes have been implemented to prevent collisions between injected values and in-page content, and improve performance. (Issues: 1529 and 1569)
    Session ID in URL Rewrite: This plugin has been updated with a minimum length check for the value of the parameters it looks for. A false positive condition was raised related to this plugin (Issue 1396) whereby sID=5 would trigger a finding. Minimum length for session IDs as this plugin interprets them is now eight (8) characters.
    Client Browser Cache: The active scan rule TestClientBrowserCache has been removed. Checks performed by the passive scan rule CacheControlScanner have been slightly modified. (Issue 1499)


    More User Interface Changes

    The ZAP splash screen is back: It now includes new graphics, a tips & tricks module, and loading/progress info.
    The active scan dialog show the real plugin’s progress status based on the number of nodes that need to be scanned.
    There is a new session persistence options dialog that prompts the user for their preferred settings at startup (you can choose to “Remember” the option and not be asked again).
    For all Alerts the Risk field (False Positive, Suspicious, Warning) has been replaced with a more appropriately defined Confidence field (False Positive, Low, Medium, High, or Confirmed).
    Timestamps are now optionally available for the output tab.




    Test:
    [​IMG]



    Video:





    [​IMG]

    Please login or register to view links
     
    • Like Like x 1
    Метки:
  2. NiceDay

    NiceDay

    Регистрация:
    6 авг 2013
    Сообщения:
    63
    Симпатии:
    13
    Кто что скажет? Лучше чем Acunetix?
     

Поделиться этой страницей

Загрузка...