100%(1)1 out of 1 people found this document helpful
This preview shows page 1 - 5 out of 15 pages.
INSC 561 Individual Project 3: Security Testing 1 1.Hands-OnTarget: WebGoat Tool: OWASP ZAP Mapping the Application Step 1: Automated Spider Scan Starting from the initial login page of WebGoat, an initial spider scan was completed without authentication to see what an automated spider could identify. Figure 1 shows the spider scan being initiated from the WebGoat login page and Figure 2 shows the results of the scan without authentication. Figure 1. ZAP Spider Scan on WebGoat Target: Unauthenticated From Figure 2, it can be seen that the results returned a few web pages and a number of resources for the application. For web pages, there is a login page, which is where the spider scan began, a registration page and another login page with a query string of “error.” The last page is the error login page, indicating ZAP spider attempted to login with blank credentials and failed to login. There are also other fetched resources such as CSS, some XML, some bootstrap files and a robots.txt file, which could be useful later on. 1
Figure 2. Spider Scan Results for WebGoat Target: Unauthenticated Step 2: Authenticate and Run Second Automated Spider Scan The second step is to log in to WebGoat using user credentials. A page beyond the login is shown in Figure 3, which is the introduction lesson page. Figure 4 shows starting another automated spider scan starting from the introduction page now that authentication has been completed (the current session must be set to “Active” in ZAP as well). The new automated spider results are shown in Figure 5. 2