Questions tagged [zap]

OWASP Zed Attack Proxy is a free and collaborative security tool. It is is devoted to the detection of vulnerabilities in web applications, for both beginners and professionals of application security

ZAP is an open-source software that includes many tools used to perform a wide range of penetration tests on a target web application. It is highly tunable, and thus allowing it to be applied on a large variety of applications. The basic startup tool also makes it easy to use for beginners.

It can be used as a basic scanner, or may be set up as a proxy between a navigator and the application backend.

It will eventually generate a list of vulnerabilities, classified according to OWASP Risk Rating Methodology

ZAP is developed and supported by a large community through its github.

102 questions

votes

2 answers

Integrating ZAP to SDLC. Am I doing it right?

We are trying to integrate OWASP ZAP scans to our Build Cycle. When a new build reaches the QA team, they run an automation tool similar to Selenium, which opens a Firefox web-browser in a Windows machine and runs their test cases. Being completely…

zap

asked Apr 10 '17 at 11:28

Sreeraj

1,317
1
14
23

vote

1 answer

OWASP ZAP uses non-existent parameters

While running scans with ZAP, I noticed that many of the reported vulnerabilities involve sending malicious content as a value to a parameter named "query". For example: http://:/path/path/path?query=query+AND+1%3D1+--+ The api method in…

zap

asked May 28 '19 at 17:58

harrys

vote

1 answer

How to intercept XmlHttpRequest with OWASP ZAP

I'm using OWASP ZAP for intercepting request to a web application, OWASP WebGoat. My break point is quite simple: 'URL', 'contains', and 'http://localhost:8080/WebGoat/start.mvc#attack/76122667/400&from=ajax'. But it never catches any XMLHttpRequest…

zap

asked Jan 17 '18 at 15:16

pirent

vote

1 answer

How to run OWASP ZAP automatically using command line operations (i.e. Jenkins)

I am trying to run OWASP ZAP automatically using command line. I have tried using the API as described here, but I am getting these errors. I have also tried with zapr, but it's also showing error as set path while I have try to set it by every…

zap

asked Aug 09 '17 at 09:08

Shubham Jain

votes

1 answer

ZAP - Remote command injection found in API but real URL not shown anywhere, in scan returns 200 but manual test returns expected 400

Using ZAP OWASP 2.13.0 and found a so-called "Remote command injection". But either in report or in Alerts the URL + query the URL does not contain attack string. Open the query in Request editor, the query is still correct. Did the scan twice so…

zap

asked Aug 15 '23 at 11:20

WesternGun

votes

1 answer

ZAP HUD is different

Started to get to grips with the OWASP ZAP tool, and can't solve the problem related to the ZAP HUD. Why does the ZAP HUD frames (on the left- and right-hand sides of page) on some sites (like Github) contain full set of tools, but on other sites…

zap

asked Feb 17 '23 at 13:24

user289467

votes

1 answer

Cannot run ZapProxy add_header_request.py - throwable exception

I am dropping this https://github.com/zaproxy/community-scripts/blob/main/httpsender/add_header_request.py into ZAP scripts window > Proxy When I save and browse a site, I see java.lang.reflect.UndeclaredThrowableException I expected to see…

zap

asked Oct 18 '22 at 13:43

phil_99

votes

1 answer

How to add nested Data Driven nodes in ZAP

I wish to map a site with owasp zaproxy. The site uses data driven nodes in the URL in such a format to download image data for maps: https://subdomain.domain.tld/maps/<>/<>/tiles/<>/<>/<>.png This…

zap

asked Oct 10 '21 at 23:44

FalcoGer

votes

1 answer

How can i fuzz two values in ZAP with the same payload?

In ZAP (Zed Attack Proxy) its possible to fuzz requests. I have two values cookieUserId and cookieUser. They both have the same value and i want to change the ID for both fuzzing location. If i add a new payload for the second fuzz location ZAP will…

zap

asked Aug 05 '21 at 09:52

Axel

votes

1 answer

Owasp Zap: False positives in the PiiScan

I work a lot with OWASP Zap, and I am very satisfied. Nevertheless, I have the problem with all my scans that I always have false positives in the PiiScan area. Among other things, Googlemaps numbers, or product numbers are recognized as Visa card…

zap

asked Jul 07 '21 at 09:56

Mornon

votes

1 answer

Zap API: endpoints unavailable

I am running Zap version 2.10.0 and was hoping to gain more control of logins with users.authenticate_as_user, link It is, however, unavailable as when I list attributes of a users object in python I only get (besides dunder…

zap

asked Feb 15 '21 at 22:43

postoronnim

votes

2 answers

Is it possible to see the history of SSL handshakes going out of OWASP ZAP proxy?

Let's say I perform some request through OWASP ZAP local proxy, and it fails SSL handshake for some reason. Is there any way to see what SSL certificates zaproxy offered during the handshake, at which url etc?

zap

asked May 03 '20 at 19:05

desudesudesu

votes

2 answers

OWASP ZAP: Add parameter to every request

I am testing a website that makes heavily use of REST API endpoints. After authentication, the app adds the authentication token as part of every request in the form…

zap

asked Mar 04 '20 at 22:00

user1192748

votes

1 answer

UserName and Password information can be seen on https

During scanning my https website via owasp zap , I found that username and password information is not encrypted. What could be the reason and how to fix. Please see below screenshot of ZAP.

zap

asked Jul 25 '19 at 06:53

Muhammad Ali Khamis

-1

votes

1 answer

How to automate OWASP ZAP Fuzzing

Is there any way I can automate fuzzing in zap. I know how to do it manually. But is there any way to create test suite and execute?

zap

asked Jan 15 '19 at 16:51

Muhammad Ali Khamis