OWASP ZAP Mutillidae Demo using kali linux - Cyber security

pardhunikku143 0 views 11 slides Sep 17, 2025
Slide 1
Slide 1 of 11
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11

About This Presentation

The OWASP Zed Attack Proxy (ZAP) is a widely used open-source web application security testing tool. It is designed to help security professionals and developers identify vulnerabilities in web applications. Mutillidae, on the other hand, is a deliberately vulnerable web application that provides a ...

Size: 37.98 KB
Language: en
Added: Sep 17, 2025
Slides: 11 pages

Slide Content

OWASP ZAP Live Demo — Mutillidae on Metasploitable Demonstration plan, attack walkthrough (SQL Injection), mitigation & PPT for your session Prepared for: Live demo Date: Sept 17, 2025

Objectives • Show OWASP ZAP workflow (proxy → spider → active scan → exploit) • Perform a critical attack: SQL Injection on Mutillidae • Explain findings, mitigation, and demo tips

Testbed & Assumptions • Target: Mutillidae web app running on Metasploitable (local VM) • ZAP running on host (default proxy 127.0.0.1:8080) • Browser configured to use ZAP as proxy or use ZAP's built-in browser • Replace <TARGET> with your Mutillidae URL/IP (e.g. http://10.0.2.15/mutillidae)

Demo Plan (Quick) 1. Start ZAP and configure proxy 2. Browse target to populate site tree (Spider/Manual) 3. Passive & Active Scan 4. Identify SQLi on Login/Search 5. Exploit (payloads / show DB extraction via sqlmap or ZAP fuzzing) 6. Show mitigation & Q&A

Step-by-step — Setup • Start Metasploitable VM and note its IP (on Metasploitable run: ifconfig or ip a) • Start ZAP: zap.sh (Linux) — listen on 127.0.0.1:8080 • Configure browser proxy to 127.0.0.1:8080 (or use ZAP browser) • In ZAP: Tools → Options → Local Proxy to verify port

Step-by-step — Recon & Scan • Browse the Mutillidae site to populate the Sites tree • Run Spider (right-click site → Attack → Spider Site) • Run Active Scan (right-click site → Attack → Active Scan) — monitor Alerts panel • Review 'High' and 'Critical' alerts (SQL Injection, XSS, File upload issues)

Critical Attack — SQL Injection Target chosen: login or search form in Mutillidae (common vulnerable endpoints) Manual payloads to demonstrate authentication bypass: • username: ' OR '1'='1 • password: (anything) Show intercept in ZAP: right-click request → Open/Resend (Manual Request Editor) → modify and resend

Using ZAP to find SQLi & exploit • Run Active Scan — ZAP will flag SQL injection alerts and show vulnerable parameter • Right-click alert → Attack → Fuzz or use 'Active Scan' specific attack options • Use 'Fuzz' with SQL payload list (examples on slide next)

Useful Payloads & Commands SQL payload examples for demo: • ' OR '1'='1 -- • ' OR 1=1 -- • ' UNION SELECT null,@@version -- • ' UNION SELECT null, table_name FROM information_schema.tables -- Optional: extract DB with sqlmap via ZAP proxy: sqlmap -u "http://<TARGET>/...param=VAL" --data="param=PAYLOAD" --proxy="http://127.0.0.1:8080" --batch --dump

Mitigation & Takeaways • Use parameterized queries / prepared statements • Input validation & proper error handling • Least privilege DB accounts • Use WAF and keep apps patched Demo takeaways: • ZAP is effective for discovery, but manual verification and exploitation demonstrate impact • Prepare screenshots and a short live exploit to impress examiners

Demo Script & Talking Points (Script for presenter) 1) Intro to ZAP (purpose, proxy, passive vs active scan) 2) Show site tree and spider run 3) Run Active Scan and highlight alerts 4) Intercept login request and demonstrate SQLi payload 5) Optionally run sqlmap to dump a sample table (explain ethics) 6) Mitigation and Q&A Speaker notes: Keep the live exploit short (login bypass + show data) — auditors favor clear impact demonstration.
Tags
Categories
Design Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 0
  • Slides 11
  • Age 74 days
Related Slideshows
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf 1
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf
mannyvesa
26 views
EUNITED_Advocacy and Public Engagement through Visual Media 16
EUNITED_Advocacy and Public Engagement through Visual Media
GeorgeDiamandis11
30 views
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx 31
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx
HibaZaidi2
24 views
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx 36
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx
HibaZaidi2
27 views
Hinduism and Its History - PowerPoint Slides.pptx 112
Hinduism and Its History - PowerPoint Slides.pptx
ConorMcCormack10
23 views
Service Attributes of Manufactured Parts.pptx 20
Service Attributes of Manufactured Parts.pptx
MustafaEnesKrmac
24 views
View More in This Category