Zed Attack Proxy Cookbook: Hacking tactics, techniques, and procedures for testing web applications and APIs

This book does a great job at explaining the capabilities of ZAP in-depth while also providing instructions which are easy to follow and friendly to beginners.The book acts as a learning platform by teaching the reader how to perform common tests which can be applied to all web app security testing. This is accomplished by teaching the user how to apply ZAP to web application training resources such as JuiceShop and Portswigger Academy. On the other hand, the book contains detailed instructions on how to operate ZAP and use it more effectively, making it a great resource for both experience and inexperienced testers.If you are looking to begin your journey into web application security testing or want to learn how to use ZAP more effectively, this book is for you.

Zed Attack Proxy Cookbook consists of a set of recipes and guided lab exercises that help the reader perform app security testing of commonly known security vulnerabilities. It is a good hands-on introduction to using the ZAP framework for those beginning the pentesting journey or trying to map the basic security posture of their application. Authors of the book have captured millage of their experience with helpful guidance throughout the subject.What I liked about this book:- A concise overview of vulnerabilities and why and how they work- Simple recipes to follow with well-outlined and illustrated steps- References to more material to discover and learnWhat I wish I saw more of:- Recent OWASP top 10 new concerns overview with examples- Cloud-oriented app deployment pentesting methodologyIn a nutshell, I would recommend this book to practitioners who wish to evaluate the capabilities of open source ZAP framework for basic app vulnerability assessment as a reference and those who learn to pentest.

This book was a fantastic overview of OWASP ZAP. The use of well-known and easily-accessible labs makes it easy for a novice to jump in and learn more about the tool. This provides a good alternative to the Portswigger Academy walkthroughs, most of which, understandably, focus on Burp Suite for solutions. Unlike Burp Suite, however, ZAP is free, open-source, and highly extensible.If you are new to Application Security: This book will provide you with a solid foundation of some basics for with an open-source tool with which you can practice at your own pace. After reading this book, following the labs, and reading the authors' thoughts and reflections, you should be well situated for web-based CTF challenges.If you are new to ZAP only: This book will provide a no-nonsense approach to ZAP's basic functionality and where to find further functionalities. It provides a quick way to transition to a free and open-source app, as opposed to a paid one. This knowledge will help you to further develop your skillset and your craft. After reading this, you should be well-equipped to jump right into ZAP's extensions: using, modifying, and writing your own.Highly recommended.

Zuerst muss ich festhalten, dass mir das Buch sehr gut gefällt. Es orientiert sich weitestgehend an den PortSwigger Academy Labs. Man löst hier die Labs, nur halt mit ZAP anstatt der Burp Suite und lernt das Tool dabei kennen. Hier komme ich auch zu meinem ersten Kritikpunkt: ich habe den Eindruck, die unterschiedlichen Labs und deren Lösung wurden von unterschiedlichen Autoren beschrieben. Die eigentliche Lab Beschreibung wurde mehr oder weniger von Port Swigger übernommen, aber bei der Lösung fehlen gelegentlich Schritte, an anderer Stelle werden Dinge die zuvor beschrieben wurden noch einmal wiederholt. Hier gibt es Optimierungsbedarf für zukünftige Auflagen.Was aus meiner Sicht in dem Buch komplett fehlt, sind erweiterte Funktionalitäten wie Zest Script u.a. Der Opensource Gedanke von ZAP ist ja grade der Vorteil gegenüber der Burp Suite. Was man vermisst, kann man durch Scrpite und AddOns selber ergänzen oder das nutzen, was andere schon entwickelt haben. Beispielsweise wäre es schön gewesen die Pitchfork Funktionalität von Burp durch ein eigenes Script nachzubilden. Damit wären einige Labs wesentlich eleganter zu lösen gewesen und der Leser hätte das Potential von ZAP wesentlich besser kennen lernen können. Hierauf geht mir das Buch zu wenig ein.