If you’re looking for a great open-source vulnerability scanner you can do a lot worse than ZAP (Zed Attack proxy).
All features are free unlike the likes of BurpSuite and it is under active development unlike Arachni. There is a good community who provide custom scripts available on github. It used to come as part of Kali albeit recent releases havent had it installed by default. That said a simple apt-get command will install it on your linux server. ZAProxy will also happily run on windows if you prefer.
Once you start ZAProxy you configure a port to run on under local proxy in settings then point your browser to it under its proxy settings. Then start browsing and watch your browsing traffic appear.
As you can see from the screenshot above Zaproxy starts working through the pages and showing alerts immediately.
Clicking on the Alerts tab allows you to drill into the types of alerts, which pages it was discovered on and detailed information such as the exact section of a page which triggered the alert. It will take you some time for you to wrap your head around which alerts are important and which are most likely false positives or extremely low.
There are many scripts and free marketplace add-ons you can enable to have their various tests performed when you are browsing.
Not only can you scan your regular browsing but with a single right click you can spider (vulnerability test) all the detectable pages on a website or perform an attack (penetration test).
ZAProxy has all the features you could need, such as:
- Fuzzing
- Port Scanning
- Technology detection
- Spider
- Active/Passive/Standalone or targetted scripts (with the ability to easily add your own)
On top of all this it has a fairly handy API. It used to have a Heads Up Display (HUD) which could update your live browsing showing alerts on the webpage and making items such as hidden fields visible but last I heard this was being deprecated in future versions.
All in all – give it a try and you wont regret it.
