Zed Attack Proxy only crawling one page - owasp

I have just recently started using Zed Attack Proxy(ZED) to check for OWASP vulnerabilities and I am trying to get it to scan my whole site. I have successfully got it to login as a user and scan from there but it stays on the main page after logging in. Is there a way to get it to scan the other pages throughout the website? Also, is there a way to test for specific vulnerabilities only or is it more of a broad scan of everything? I am still new to this software so any help is appreciated.
Thanks,

This might not be a one sentence answer, and will probably need quite a bit more info from you. I'd recommend asking them on the ZAP User Group that way we can walk you through things a bit more easily.
Cheers, Simon (ZAP Project Lead)

Related

Am I Being Hacked by Redirection?

I don't really know how to explain this, so bare with me. But our Facebook pixel detected traffic from another domain. We only have one domain. We went to see what other domain it could possibly be referencing. It turns out, this other domain was a carbon copy of our site. The only thing that was different was the web address. Does anyone have a clue what is going on? It's as though someone is retargeting our customers to a mirrored website.
We tested the foreign site by placing an order using store credit given to ourselves on the backend of our site. The order went through and instead of showing the order was placed in the US, it said it was placed in Turkey.
This is over my head and I have no clue where to start solving this issue.
I've actually seen this happen to someone else before. I'm not sure what the motive behind doing something like this is - but if the orders from the cloned store are being paid to your gateway, then the upside is that you're not losing money over it. However, I do believe that the intent is somewhat malicious.
The most logical reason I have been able to come up with is that if your store has high amounts of traffic, is well known, and has a good SEO rating, the people that are cloning your store are trying to "SEO-Hijack" you in a sense. Essentially piggybacking off of your site because of the SEO ratings it already has in order to boost their own and potentially turn it into a separate store/website later.
This isn't necessarily something that can be fixed by BigCommerce since the copy of your store isn't on the platform whatsoever, since they are essentially just piggybacking off of your SEO rating. The best option here would be to do a domain WHOIS lookup for their domain and report it as fraud to their registrar as an attempt to get legal action to be taken or a cease & desist.
Sorry that this is happening to you!
Here's a helpful explanation that I was able to find and a helpful blog post on how to prevent it and the steps to take.
Oh no, I'm sorry to hear about this! As blurfus suggested above -- Please the BigCommerce Support team to report this as soon as you can. You can find their contact information here: https://support.bigcommerce.com/s/#contact

Multiple domains one sign on (without logging in to each one)

I have been asked to oversee the development of a handful of sites. The people running the show want it so that if you sign onto one of the sites, then you are automatically signed onto the rest of them.
One of my buddies who is a great programmer says there is no safe way to do this, is he right?
I had an idea that the main site (parent site) could host the daughter sites as sub domains, with each site having its own unique domain name.
What do you think?
Yes, it can be done. However, it won't be a trivial solution but will be a very expensive project that requires an extensive set of skills. Companies typically try to achieve this by establishing internal solutions themselves but tend to fail as complexity increases.
What you are trying to accomplished can also be done as a service. You may want to take a look at the following webpage:
http://www.covisint.com/web/guest/about-identity-services
Hope that helps!

Website development/design specification software or tool?

hello supersmart stackoverflow users!
Im wondering.. is there any software or tool (web based or otherwise) that helps and streamlines the whole technical and functional specification writing process so that we as developers/website can sit with clients, assess what they want to create/achieve and write up the spec efficiently and easily so that when its approved it can easily be passed onto the webdev people and they can create what is set out in the specification?
Thank you in advance!
Specfox is a SaaS designed just for that. You upload the screens (layouts or screen grabs), add notes and pinpoint to page elements, and generate PDFs to share with copywriters, designers and developers, or whoever you need to involve. It was the best online website specifications tool I found for a website redesign we did.
If you're still looking, take a look at Axure. It's built just for this. It's awesome

Platform For Volunteer Management Website

I help out at a local soup kitchen, and they are wanting to create a website. Most of their criteria are pretty simple, they want to be able to have a calendar, post pictures, and have a blog. However they also want to be able to manage volunteer's. They want to be able to post a event, have a list of jobs that they need volunteer's for that event, and allow people to sign up for the jobs. I would like to base this website on a well known platform like DotNetNuke, WordPress, or Drupal. Before I go and code my own plugin for managing volunteers I decided to see if I could find a platform that already has a module available. So far I have not been able to find anything. Has anybody heard of one or used one in the past? I would appreciate any suggestions.
There's a whole range of ways to do this, but I haven't ever seen a dedicated solution (plugin or otherwise).
On the one hand, a blog could do all that you're asking. Posting pictures and blog entries? That's wordpress all over. Want a calendar? We have a plugin for that. Want to let volunteers sign up for stuff? Let them post comments.
On the other hand, the problem you're describing isn't unique: In my own experience I've wanted the software you describe. May I suggest that, if you have the time, you make something totally awesome for the volunteer community?
Our company, Wired Impact, recently released a plugin called Wired Impact Volunteer Management that provides exactly the functionality you're looking for. You can learn more and download the plugin at https://wordpress.org/plugins/wired-impact-volunteer-management/.

What do you think about OpenFire?

Have you developed for OpenFire (http://www.igniterealtime.org/)?
How has your experience? pros/cons/comments, please.
I'm evaluation several technologies now, and want to know what the community thinks about OpenFire.
We tried Openfire for a chat and message distribution project.
I really liked it at first. The documentation was good, the admin tool was good and the installation was easy.
But we could not make it perform. For some reason the login-process took a looooong time.
Also I have the impression that the project is dying.
We ended up with ejabberd, which works well and was also easy to set up.