What are the three common stages of the Penetration Testing process and what tasks are performed at each one?

• Explore: Gather information about the system, like the software and weak points.
• Attack: Try to break in using known vulnerabilities.
• Report: Share findings, like what was broken into and how severe it was.

Explain a “main-in-the-middle proxy” in non-technical terms.

• Imagine a security guard between you and a theme park. the guard would check your bags to make sure you are not brining into the park anything illegal. The same is with a website, the guard checks your messages before they reach the website and vice versa. If anything seems off, the guard can fix it. This keeps your online messaging safe.

What are the 2 spiders available for use in ZAP?

• Traditional ZAP Spider: This spider discovers links by looking at the HTML in responses from the web application. It's fast but might not work well for websites that use advanced techniques like JavaScript to generate links. AJAX Spider: This spider is used for applications that use AJAX (a technique to update parts of a webpage without reloading the whole page). The AJAX spider simulates a real browser by following links generated by JavaScript, making it more effective for exploring modern web applications.

What situations are they best suited for?

Traditional Spider: Good for simple websites. AJAX Spider: Works well for modern, interactive websites.

References: https://www.zaproxy.org/getting-started/