PenTesting with OWASP ZAP: Mastery course

Install zap across Windows, Linux, Mac, and Docker environments, using cross-platform packages, Homebrew Cask, and Docker images. Learn headless mode and basic setup for intercepting traffic.

Explore the six elements of the OWASP ZAP desktop UI—minibar, toolbar, context windows, workspace, information window, and the future window—and learn session persistence and scanning workflows.

Explore the Zap marketplace and add-ons, learn how to install, update, and uninstall tools, manage optional add-ons, and access community scripts and scripting options to customize testing workflows.

Configure the ZAP scan policy manager to tailor active scans by setting thresholds and attack strength, create and modify policies, and apply custom payloads and vectors for precise vulnerability testing.

Configure and secure the OWASP ZAP setup before testing, including SSL certificates, proxies, scan modes (active and passive), spider settings, API keys, and reporting options for practical web app assessment.

Explore ZAP attack modes, including safe, protected, standard, extended, and attack modes, and learn how scope and context define permissible actions and active scanning behavior.

Learn to perform automated and manual attacks with OWASP ZAP in under five minutes, comparing traditional and ADX spiders and exploring DOM-based XSS and MySQL vulnerabilities.

Explore how to spider a target with OWASP ZAP, configuring crawl rules, seeds, scope, and multithreaded settings, then compare traditional and Addax spider modes to reveal vulnerabilities.

Learn to configure and run fuzzing with OWASP ZAP, selecting payload categories, loading custom payloads, and testing for injection and dom based vulnerabilities with encoding, regex, and reflection detection.

Master active scanning in ZAP by spidering the target, configuring attack mode with input vectors and custom vectors, and analyzing alerts and response charts to uncover vulnerabilities.

Master breakpoints and the manual request editor in OWASP ZAP to intercept, modify, and replay requests, uncovering hidden fields and testing web application vulnerabilities.

Explore configuring and using the authentication system in OWASP ZAP to manage sessions with manual, form-based, cookie-based, and script-based methods, including force user mode and login indicators.

Learn to use zap's forced browse to uncover hidden directories and files by configuring options, adding custom payload lists, and filtering by extensions; always test on dummy applications.

Explore security testing with the zap HUD mode, learning to enable the heads up display, run active scans, spider targets, and analyze alerts and cross-site scripting findings.

Explore zap scripting attacks and recording zest scripts using python and javascript to extend active and passive rules, authentication, and proxy workflows in zap.

Showcases static code analysis with the attack surface detector plugin in OWASP ZAP to identify endpoints and parameters for an ASP.NET MVC application, enabling SAST insights.

Explore how to access Zap via its api to control all features from headless mode, configure api key and web ui, run spider and active scans, and automate security testing.

Configure and invoke external security tools like sqlmap, nmap, and Nikto within ZAP, passing site, host, port, cookies, and headers to orchestrate concurrent scans and share results in one console.

Learn to invoke Burp Suite into ZAP and run both tools together for coordinated proxy, interception, and spidering to assess a single target.

Explore additional Zap add-ons and tools, including token generation, regex testing, token analysis, access control checks, port scanning, and replacer, plus bean shell and text browser integrations.

Generate and export OWASP ZAP reports in multiple formats, including json and pdf, by examining risk labels, vulnerability details, parameters, and request methods to guide remediation.