WEBVTT 00:01.080 --> 00:03.360 Hello everyone and welcome. 00:03.560 --> 00:10.560 In this video, we will learn about the Zap proxy as a tool and run it using a UI interface and also 00:10.600 --> 00:12.680 using a CLI interface. 00:13.080 --> 00:15.240 So now let's go ahead and download this installer. 00:15.560 --> 00:21.360 Here they have provided different ways on different axes and different download installers that you 00:21.360 --> 00:22.200 can use. 00:22.520 --> 00:27.800 I have used windows 64 installer since I'm running on windows operating system. 00:28.600 --> 00:35.840 You can use Linux installers, Mac and different packages that are here for downloading and installing 00:35.840 --> 00:38.480 your for your operating system. 00:38.640 --> 00:45.400 You'll have to go here zap proxy download where it would provide all the download material. 00:45.640 --> 00:50.280 I went ahead and downloaded this and executed it on my end. 00:50.640 --> 00:53.640 I'll open the web UI and execute this. 00:54.120 --> 00:55.920 So here is how the tool looks like. 00:56.720 --> 00:58.600 There are different options available. 00:58.840 --> 01:00.680 Automated scan, manual. 01:00.680 --> 01:02.560 Explore and learn more. 01:03.080 --> 01:05.600 I'll go ahead and click on the automated scan. 01:05.880 --> 01:09.360 And here's the URL that we want to check for the attack. 01:09.800 --> 01:15.400 They have this traditional spider option which you can go and read about the details on this spider 01:15.400 --> 01:17.240 experience that they offer. 01:17.560 --> 01:21.520 And then it also checks which browser you can run this against. 01:21.920 --> 01:28.200 So what I'm going to do is I'm going to use a website here by the name hackthissite.org. 01:29.080 --> 01:35.280 Here is where it's an open source site where it was built to check the different penetration testing 01:36.560 --> 01:39.560 that can be offered and be tested on this website. 01:39.800 --> 01:41.320 I'll go ahead and do attack. 01:41.800 --> 01:48.200 So what this tool would do is it would go and run the pen test on this website and collect all the information 01:48.200 --> 01:53.720 that it found that our vulnerable and could be fixed to make this side better. 01:54.880 --> 01:58.200 It takes some while for it to go through the entire process. 01:58.600 --> 02:03.360 I will go ahead and pause the video and resume it when it's done. 02:04.240 --> 02:09.130 So the tool is done executing the the pentesting on this website. 02:09.130 --> 02:12.410 And if you notice here here are the findings. 02:12.410 --> 02:15.450 Let's go ahead and pick the first one and see what the details are. 02:15.490 --> 02:20.330 For this particular finding, there are in total 27 findings. 02:20.730 --> 02:23.530 Out of that we picked up absence of antiques. 02:25.130 --> 02:27.250 So the URL it scanned here is this. 02:27.250 --> 02:29.210 And it says the risk is medium. 02:29.210 --> 02:37.410 And the description about this is that no antiques tokens were found in an HTML submission form. 02:37.890 --> 02:44.170 The cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to 02:44.210 --> 02:50.930 a target destination without their knowledge or intent, so that is the vulnerability that it found. 02:51.290 --> 02:52.530 Let's pick up another one. 02:52.570 --> 02:55.890 CSP script source unsafe inline. 02:56.810 --> 03:00.250 The risk was medium and it is content security policy. 03:00.570 --> 03:01.730 The description is here. 03:02.090 --> 03:07.810 So this is how the tool uses the UI interface to find the vulnerabilities for pen testing. 03:08.130 --> 03:11.570 Now let's go ahead and do the same thing using a CLI. 03:12.090 --> 03:14.730 So here I am on my windows PowerShell. 03:15.050 --> 03:18.770 This is the root directory where I have my zap proxy installed. 03:19.010 --> 03:26.610 I'm going to use the the command zap proxy for it to run and execute the the URL from this location. 03:26.850 --> 03:29.250 Looks like I did not copy the right one. 03:29.450 --> 03:31.490 Let me get the right URL for this command. 03:31.770 --> 03:37.970 So here's the command Java with the memory zap 2.1 16.1. 03:38.010 --> 03:45.930 Using the quick URL as hackthissite.org, and run this as a command with quick progress and then execute 03:45.930 --> 03:46.450 this. 03:47.090 --> 03:50.970 This would do things very similarly that we did with the UI interface. 03:51.170 --> 03:53.970 The only difference is that it would be on the CLI. 03:54.810 --> 04:01.250 The reason I'm showing this to you is because we would use this feature, the CLI command and feature 04:01.250 --> 04:07.010 on our AI agent to do the advanced web scanning using AI agents. 04:07.130 --> 04:08.210 This will take a while.