APPLICATION & SOFTWARE SECURITY

Overview

I built a small Flask target and used OWASP ZAP to discover and validate a critical injection flaw. I then implemented a secure fix, re-scanned to verify, and documented the workflow for repeatable testing.
(How to Do Application Security Testing)

Objectives

Stand up a testable app and route traffic through ZAP
Run crawl and active scans to surface issues
Fix a flagged vulnerability and verify the remediation
Capture findings and before and after evidence

Prerequisites

Python with a virtual environment
Flask installed
OWASP ZAP installed and proxy configured in the browser

Tools and technologies

OWASP ZAP, Python, Flask, browser proxy settings

Implementation

1. Target setup

Built a minimal Flask app with a search endpoint for testing
Generated a requirements file and launched locally

2. ZAP configuration

Set the browser proxy to ZAP on localhost
Crawled the app with Spider and ran an Active Scan
Reviewed Alerts and prioritized high severity findings

3. Fix and verify

Replaced unsafe query construction with a safe execution pattern
Ensured templates render variables safely
Re-ran the scan and confirmed the original finding was cleared

4. Documentation

Wrote a concise report with affected route, risk, fix, and screenshots
Added notes on ZAP setup and scanning scope

Outcomes

Validated ZAP workflow from discovery to fix
Eliminated the flagged injection path
Produced a reusable scanning checklist

Skills demonstrated

Web app testing with a proxy scanner
Vulnerability triage and secure remediation
Evidence-based reporting

← Code Defender

Juice Shop Labs →

Google Sites

Report abuse