Finding files and folders with ZAP
OWASP ZAP (Zed Attack Proxy) is a very versatile tool for web security testing. It has a proxy, passive and active vulnerability scanners, fuzzer, spider, HTTP request sender, and some other interesting features. In this recipe, we will use the recently added "Forced Browse", which is the implementation of DirBuster inside ZAP.
Getting ready
For this recipe to work, we need to use ZAP as a proxy for our web browser:
Start OWASP ZAP and, from the application's menu, navigate to: Applications | Kali Linux | Web Applications | Web Application Fuzzers | owasp-zap.
In Mantra or Iceweasel, go to the main menu and navigate to Preferences | Advanced | Network, in Connection click on Settings…
Chose a Manual proxy configuration and set
127.0.0.1as the HTTP proxy and 8080 as the port. Check the option to use the same proxy for all protocols and then click on OK.
Now, we need to tell ZAP the file where it is going to get the directory names from. Go to ZAP's menu and...
