Finding files and folders with ZAP
OWASP ZAP (Zed Attack Proxy) is a very versatile tool for web security testing. It has a proxy, passive and active vulnerability scanners, fuzzer, spider, HTTP request sender, and some other interesting features. In this recipe, we will use the recently added "Forced Browse", which is the implementation of DirBuster inside ZAP.
For this recipe to work, we need to use ZAP as a proxy for our web browser:
- Start OWASP ZAP and, from the application's menu, navigate to: Applications | Kali Linux | Web Applications | Web Application Fuzzers | owasp-zap.
- In Mantra or Iceweasel, go to the main menu and navigate to Preferences | Advanced | Network, in Connection click on Settings…
- Chose a Manual proxy configuration ...