Owasp Zap 和亚马逊
[英]Owasp Zap and Amazon
问题描述
I don't have much experience of penetration testing, but I am currently looking at OWASP Zap.
我没有太多的渗透测试经验,但我目前正在研究 OWASP Zap。
The website I am going to pentest runs on an Amazon EC2 instance.我要测试的网站在 Amazon EC2 实例上运行。 Amazon seems to have certain requirements when it comes to security testing: https://aws.amazon.com/security/penetration-testing/亚马逊在安全测试方面似乎有一定的要求: https://aws.amazon.com/security/penetration-testing/
The above website says that you can run security tests on a Amazon EC2 instance but not certain ones such as DNS zone walking, DoS, etc. which is fair enough.上面的网站说您可以在 Amazon EC2 实例上运行安全测试,但不能在 DNS 区域行走、DoS 等某些实例上运行,这很公平。
The problem is that I can't see exactly what OWASP Zap will do when I click the "Attack" button and I obviously don't want to upset AWS!问题是当我单击“攻击”按钮时,我无法确切看到 OWASP Zap 会做什么,而且我显然不想让 AWS 感到不安!
Has anyone else used OWASP Zap on an EC2 instance?有其他人在 EC2 实例上使用过 OWASP Zap 吗? Did it you have to configure it to not do DoS attacks, etc?您是否必须将其配置为不进行 DoS 攻击等? Is there any way I can find out what Zap is doing (I couldn't see anything in the documentation but may have missed something)?有什么方法可以找出 Zap 在做什么(我在文档中看不到任何内容,但可能遗漏了一些东西)?
1 个解决方案
解决方案1
2 已采纳 2021-06-10 07:50:53
Yes, I've done that.是的,我已经做到了。 ZAP does not deliberately attempt DoS attacks (or any other attacks intended to cause damage) but it can still 'take out' insecure or badly configured applications. ZAP 不会故意尝试 DoS 攻击(或任何其他旨在造成损害的攻击),但它仍然可以“淘汰”不安全或配置错误的应用程序。 If you have permission from the website owner then they hopefully wont complain to Amazon and then you'll be ok.如果您获得了网站所有者的许可,那么他们希望他们不会向亚马逊投诉,然后您就可以了。
For details of the scan rules ZAP uses see https://www.zaproxy.org/docs/alerts/ - those pages link to the relevant source code so that shpould provide you with more than enough detail;)有关 ZAP 使用的扫描规则的详细信息,请参阅https://www.zaproxy.org/docs/alerts/ - 这些页面链接到相关源代码,以便为您提供足够的详细信息;)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.