It might be beneficial to use $subj during development process to test security of our Web UI/Pages.
This effort should be combined with development of Web UI integration tests (probably in Selenium). Tests will serve as a foundation for active scanner.
Currently ZAP can't parse JSON requests , we should wait for implementation of this feature otherwise usability of ZAP will be limited.
- skipfish http://code.google.com/p/skipfish/
- w3af http://w3af.org/
- Wapiti http://wapiti.sourceforge.net/
$ skipfish -MEU -S /usr/share/skipfish/dictionaries/complete.wl \
-W new_dict.wl \
-C "AuthCookie=value" \
-o output_dir1 http://foo.bar.com/dashboard
The cli witches I used for the above scan are fairly minimal and can be fine tuned to get more meaningful reports.
Another related tool is ratproxy -- http://code.google.com/p/ratproxy/ , which also helped me previously.
Metadata Update from @pvoborni:
- Issue assigned to pvoborni
- Issue set to the milestone: Ticket Backlog
to comment on this ticket.