applications settings in ZAP yesterday(https://www.hahwul.com/2019/07/easy-security-testing-with-applications-bridge-in-zap.html).I’m going to share some of the settings that I was writing separately today.
Let’s get started, my go-to settings :)
ZAP Send to Any tools
Send to burp scan(2.0)
Full Command: /usr/local/bin/curl
Parameters: -i -k 127.0.0.1:1337 -X POST -d '{"urls":["%url%"]}' -H 'Content-Type: application/json;'
Add scan burp
(https://www.hahwul.com/2018/09/burp-suite-rest-api-burp-2.0.html)
POST /scan HTTP/1.1
Host: 127.0.0.1:1337
{
"urls":["https://www.hahwul.com"]
}
Send to SQLMap
SQLMAP(GET)Full Command: /usr/local/bin/sqlmap
Parameters: --dbs --no-cast --random-agent -u %url% --cookie %cookie%
SQLMAP(POST)
Full Command: /usr/local/bin/sqlmap
Parameters: --dbs --no-cast --random-agent -u %url% --cookie=%cookie% --data=%postdata%
Send to A2SV
Full Command: /usr/local/bin/a2sv
Parameters: -t %host% -p %port%
Send to ddp(dotdotpwn)
Full Command: /Users/hahwul/HAHWUL/tool/dotdotpwn/dotdotpwn.pl
Parameters: -m http-url -h %host% -u %url% -k "root:"
https://127.0.0.1/lib/file_download.asp?FilePath=TRAVERSAL
Send to Arachni
arachniFull Command: /usr/local/bin/arachni-cli
Parameters: --output-verbose --scope-include-subdomains %url%
arachni (only xss)
Full Command: /usr/local/bin/arachni-cli
Parameters: %url% --checks=xss*
Send to Arjun
GETFull Command: python3 arjun.py
Parameters: -u %url% --get --headers "Cookie: %cookie%"
POST
Full Command: python3 arjun.py
Parameters: -u %url% --post --headers "Cookie: %cookie%"
My Private Setting?
 |
| Secret :P / https://media.giphy.com/media/akbme2WYZCNLW/giphy.gif |
 |
HAHWULSecurity engineer, Gopher and H4cker!
 |
2탄도 땡큐! 굿굿!!
ReplyDelete