GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → secdec → attack-surface-detector-zap

secdec / attack-surface-detector-zap

Licence: MPL-2.0 license
The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters

Programming Languages

java
68154 projects - #9 most used programming language

Labels

securityvulnerabilitypentestingdast

Projects that are alternatives of or similar to attack-surface-detector-zap

astam-correlator
Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans
Stars: ✭ 22 (-57.69%)
Mutual labels:  vulnerability, dast
vulnerablecode
A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
Stars: ✭ 269 (+417.31%)
Mutual labels:  vulnerability
raptor infiltrate20
#INFILTRATE20 raptor's party pack
Stars: ✭ 24 (-53.85%)
Mutual labels:  vulnerability
Android-LDoS
No description or website provided.
Stars: ✭ 15 (-71.15%)
Mutual labels:  vulnerability
PwnX.py
🏴‍☠️ Pwn misconfigured sites running ShareX custom image uploader API through chained exploit
Stars: ✭ 30 (-42.31%)
Mutual labels:  vulnerability
awesome-log4shell
An Awesome List of Log4Shell resources to help you stay informed and secure! 🔒
Stars: ✭ 194 (+273.08%)
Mutual labels:  vulnerability
TokenBreaker
JSON RSA to HMAC and None Algorithm Vulnerability POC
Stars: ✭ 51 (-1.92%)
Mutual labels:  vulnerability
reconmap
Vulnerability assessment and penetration testing automation and reporting platform for teams.
Stars: ✭ 242 (+365.38%)
Mutual labels:  vulnerability
Find-PHP-Vulnerabilities
🐛 A plug-in of sublime 2/3 which is able to find PHP vulnerabilities
Stars: ✭ 57 (+9.62%)
Mutual labels:  vulnerability
CVE-2020-1611
Juniper Junos Space (CVE-2020-1611) (PoC)
Stars: ✭ 25 (-51.92%)
Mutual labels:  vulnerability
vulristics
Extensible framework for analyzing publicly available information about vulnerabilities
Stars: ✭ 46 (-11.54%)
Mutual labels:  vulnerability
prl guest to host
Guest to host VM escape exploit for Parallels Desktop
Stars: ✭ 26 (-50%)
Mutual labels:  vulnerability
hacking-resources
Hacking resources and cheat sheets. References, tools, scripts, tutorials, and other resources that help offensive and defensive security professionals.
Stars: ✭ 1,386 (+2565.38%)
Mutual labels:  vulnerability
TIGER
Python toolbox to evaluate graph vulnerability and robustness (CIKM 2021)
Stars: ✭ 103 (+98.08%)
Mutual labels:  vulnerability
firmeye
IoT固件漏洞挖掘工具
Stars: ✭ 133 (+155.77%)
Mutual labels:  vulnerability
scan-cli-plugin
Docker Scan is a Command Line Interface to run vulnerability detection on your Dockerfiles and Docker images
Stars: ✭ 135 (+159.62%)
Mutual labels:  vulnerability
hack
Kubernetes security and vulnerability tools and utilities.
Stars: ✭ 56 (+7.69%)
Mutual labels:  vulnerability
vulnerability-lab
漏洞研究
Stars: ✭ 379 (+628.85%)
Mutual labels:  vulnerability
python-sdk
Python SDK to access the vulnerability database
Stars: ✭ 22 (-57.69%)
Mutual labels:  vulnerability
smartbugs
SmartBugs: A Framework to Analyze Solidity Smart Contracts
Stars: ✭ 222 (+326.92%)
Mutual labels:  vulnerability
View All Similar Projects ➔

asd-logo

Summary

During web application penetration testing, it is important to enumerate your application's attack surface. While Dynamic Application Security Testing (DAST) tools (such as Burp Suite and ZAP) are good at spidering to identify application attack surfaces, they will often fail to identify unlinked endpoints and optional parameters. These endpoints and parameters not found often go untested, which can leave your application open to an attacker. This tool is the Attack Surface Detector, a plugin for OWASP ZAP. This tool figures out the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won't find in client-side code, or optional parameters totally unused in client-side code. The plugin then imports this data into ZAP so you view the results, or work with the detected endpoints and parameters from the target site map.

How it Works

The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters (with supported languages and frameworks).

Supported Frameworks:

  • C# / ASP.NET MVC
  • C# / Web Forms
  • Java / Spring MVC
  • Java / Struts
  • Java JSP
  • Python / Django
  • Ruby / Rails

To see a brief demonstration for the Attack Surface Detector, you can check it out here: Note: this demonstration is based on the plugin built for Portswigger's Burp Suite. Implementation and operations are nearly identical for the ZAP plugin.

Installing the Plugin

  1. Detailed install instructions.

For Developers & Contributors

Build Instructions

  1. Install Maven. - https://maven.apache.org/install.html
  2. Clone Attack Surface Detector repository - https://github.com/secdec/attack-surface-detector-zap
  3. Navigate to the Source Code Directory
  4. Open a new terminal and run the command mvn clean package
  5. The plugin will be located in the target folder named attacksurfacedetector-release-#.zap

License

Licensed under the MPL License.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].