You want to find out as much info about a URL as possible really quickly.
Why? Well, you could be:
- A pentester just starting your week looking at a new set of apps
- A security professional who has just found out about a new public web app from your company you were not previously aware of
- A developer who has just been given an existing web app to maintain
So … ZAPit!
ZAP Chat Video
ZAPit is a new feature in 2.14.0 which performs a quick ‘reconnaissance’ scan of the URL specified. It currently only runs from the command line.
For more details see the ZAPit help page.
ZAP Chat Video Commands
The commands I used in the above video were:
Download and run bash in the ZAP stable docker image (not required if you have ZAP installed locally):
docker pull softwaresecurityproject/zap-stable
docker run -it softwaresecurityproject/zap-stable bash
Update ZAP and install Wappalyzer and the Beta Passive Scan Rules:
./zap.sh -cmd -addonupdate -addoninstall wappalyzer -addoninstall pscanrulesBeta
Run ZAP against example.com (or any other URL you specify):
./zap.sh -cmd -zapit https://www.example.com
Feedback
Do you think ZAPit will be useful to you?
Would you like it to do anything else?
Let us know via the ZAP User Group.
Credits
The social media background image is “A bright and powerful lightning bolt streaks across the sky.” by Wallpapers.com and is licensed under CC by 2.0.