1. First I have download ZAP OWASP from : https://github.com/zaproxy/zaproxy/wiki/Downloads for Windows.
2. Then install it and it will create a short cut on your desktop
3. After click on this link it will asking for your desire application link for security testing
4. Click on Attack button and wait for result
5. After finish checking it will give some alerts inside alert menu.
Here I am going to elaborate the meaning of alerts also discuss about the importance of alerts that were given by ZAP
alert-1: X-Frame-Option Header not set: Here May be the first question is what is :
X-Frame-Option Header: It allows/disallows rendering of the document when document inside iframe. Now the 2nd question is what is iframe:
iframe: iframe usually use for use another document inside parent/current document. We can use another document inside parent document using CSS but it may breaks CSS. That's why we use <iframe>.
When X-Frame-Option Header is not set it's actually do not allow rendering data of other domain. Webpage cannot able to show advertisement when X-Frame-Option Header is set. When X-Frame-Option Header is not set then the the side effect is Clickjacking.
2. Then install it and it will create a short cut on your desktop
3. After click on this link it will asking for your desire application link for security testing
4. Click on Attack button and wait for result
5. After finish checking it will give some alerts inside alert menu.
Here I am going to elaborate the meaning of alerts also discuss about the importance of alerts that were given by ZAP
alert-1: X-Frame-Option Header not set: Here May be the first question is what is :
X-Frame-Option Header: It allows/disallows rendering of the document when document inside iframe. Now the 2nd question is what is iframe:
iframe: iframe usually use for use another document inside parent/current document. We can use another document inside parent document using CSS but it may breaks CSS. That's why we use <iframe>.
When X-Frame-Option Header is not set it's actually do not allow rendering data of other domain. Webpage cannot able to show advertisement when X-Frame-Option Header is set. When X-Frame-Option Header is not set then the the side effect is Clickjacking.
X-Frame-Options Header Types
There are three possible values for the X-Frame-Options header:
- DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.
- SAMEORIGIN, which only allows the current site to frame the content.
- ALLOW-FROM uri, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com) Check Limitations Below this will fail open if the browser does not support it.
alert-2: Cookie Set Without Http Only flag:
