If you see any kind of error, you better get excited. Because, you never know, that last one might be exploitable.Įrrors are your friends. If there are 69 different POST parameters, make sure to test each and everyone. Try every field, every header, everything that comes to mind. SQL Injections, XSS and friends – remember that you can try to inject almost everywhere. Plus, ZAP also has integrated so-called AJAX Spider which crawls javascript resources. BurpSuite is awesome, but I’d recommend OWASP ZAP’s spiders. Spiders will crawl your target for you, and output every link in scope. Spend some time and work on your recon phase. The exam connection will disconnect at random intervals, which may lead to you targeting actual servers on the internet! Set manual DNS entries or block the exam domain in your DNS server.
0 kommentar(er)
