Finding files and folders with ZAP

OWASP ZAP (Zed Attack Proxy) is a very versatile tool for web security testing. It has a proxy, passive and active vulnerability scanners, fuzzer, spider, HTTP request sender, and some other interesting features. In this recipe, we will use the recently added "Forced Browse", which is the implementation of DirBuster inside ZAP.

Getting ready

For this recipe to work, we need to use ZAP as a proxy for our web browser:

  1. Start OWASP ZAP and, from the application's menu, navigate to: Applications | Kali Linux | Web Applications | Web Application Fuzzers | owasp-zap.
  2. In Mantra or Iceweasel, go to the main menu and navigate to Preferences | Advanced | Network, in Connection click on Settings…
  3. Chose a Manual proxy configuration ...

Get Kali Linux Web Penetration Testing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.