It might be beneficial to use $subj during development process to test security of our Web UI/Pages.
This effort should be combined with development of Web UI integration tests (probably in Selenium). Tests will serve as a foundation for active scanner.
Currently ZAP can't parse JSON requests [1], we should wait for implementation of this feature otherwise usability of ZAP will be limited.
[1] http://code.google.com/p/zaproxy/issues/detail?id=302&start=100
Similar tools: - skipfish http://code.google.com/p/skipfish/ - w3af http://w3af.org/ - Wapiti http://wapiti.sourceforge.net/
$ skipfish -MEU -S /usr/share/skipfish/dictionaries/complete.wl \ -W new_dict.wl \ -C "AuthCookie=value" \ -o output_dir1 http://foo.bar.com/dashboard ============
The cli witches I used for the above scan are fairly minimal and can be fine tuned to get more meaningful reports.
Documentation: https://code.google.com/p/skipfish/wiki/SkipfishDoc
Another related tool is ratproxy -- http://code.google.com/p/ratproxy/ , which also helped me previously.
Metadata Update from @pvoborni: - Issue assigned to pvoborni - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.