Finding files and folders with ZAP

OWASP ZAP (Zed Attack Proxy) is a very versatile tool for web security testing. It has a proxy, passive and active vulnerability scanners, fuzzer, spider, HTTP request sender, and some other interesting features. In this recipe, we will use the recently added "Forced Browse", which is the implementation of DirBuster inside ZAP.

Getting ready

For this recipe to work, we need to use ZAP as a proxy for our web browser:

  1. Start OWASP ZAP and, from the application's menu, navigate to: Applications | Kali Linux | Web Applications | Web Application Fuzzers | owasp-zap.
  2. In Mantra or Iceweasel, go to the main menu and navigate to Preferences | Advanced | Network, in Connection click on Settings…
  3. Chose a Manual proxy configuration ...

Get Kali Linux Web Penetration Testing Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.