A basic penetration test is made up of the following steps:
Use your browser to explore all of the functionality provided by the application.
Follow all links, press all buttons and fill in and submit all forms.
If the applications supports multiple roles then do this for each of the roles.
For each role save the ZAP session in a different file and start a new session before you start using the next role.
Use the spider to find URLs that you have either missed or that are hidden. You can also use the AJAX Spider add-on to improve the results and crawl the dynamic-built links.
Explore any links found.
Use the forced browse scanner to find unreferenced files and directories (requires “Forced Browse” add-on).
Use the active scanner to find basic vulnerabilities.
The above steps will find basic vulnerabilities.
However to find more vulnerabilities you will need to manually test the application.
See the OWASP Testing Guide for more details.
Future versions of the ZAP Desktop User Guide will describe how ZAP can be used to help this process.
Getting Started | for details of how to start using ZAP | |
Introduction | the introduction to ZAP |
https://www.owasp.org/wstg | OWASP Testing Guide |
ZAPCon 2022: Drive-By Pentesting with ZAP Scripts (38:19) |