Zap
$ owasp-zap # launches GUI
THM Introduction room
- Ajax spider HtmlUnit → sudo apt install libjenkins-htmlunit-core-js-java
- Tools → Options → Save certificate → Import into FF
- Turn on proxy, log in, HTTP Sessions, set logged-in session as active, scan again
- Tools → Options → Forced browse → Wordlist
- Build in password brute-forcer (fuzzer)
- Bugcrowd HUNT script to passively find vulnerabilities when browsing
w3af - Web Application Attack and Audit Framework