If you run ZAP multiple times against a target then you may well find that the results are subtly different even though the target has not changed. This is not unusual, and we do not consider this a significant problem. In our experience it is usually all down to how the application is explored - the traditional and ajax spiders seem to be sensitive to small changes, including things like network speed.| Frequently Asked Questions on ZAP
ZAP can handle pretty much any authentication out there. The best place to start is the Authentication Decision Tree.| Frequently Asked Questions on ZAP
Following the steps used to spider/scan DVWA. This was tested with DVWA 2.3 ZAP 2.15.0 To set up DVWA follow the instructions on https://github.com/digininja/DVWA In this case the following commands were used, but you should check to see if anything has changed: git clone https://github.com/digininja/DVWA.git cd DVWA docker compose up -d To run a full authenticated scan against DVWA download and import the Automation Framework plan:| Frequently Asked Questions on ZAP
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
Yes, the ZAP team currently offers the following services to the community. Be Aware The following are all subject to change without notice. We intend for them all to remain as-is over the long term, however, they are primarily intended to be used with ZAP and as such may change is/when required by the project/team.| Frequently Asked Questions on ZAP
You have 3 options: Convince one of the existing ZAP developers that they should implement it Convince someone else to implement it for you Implement it yourself Some of the ZAP core developers are paid to work on ZAP. If you can convince one of the us that we should implement it asap then this will probably be the quickest option as obviously we know the code base well. However we are all very busy and the companies who pay us have expectations on what we will deliver. We do have a lot of fr...| Frequently Asked Questions on ZAP
Refer to command line help page.| Frequently Asked Questions on ZAP
A.K.A. ZAP Privacy Statement As a Manipulator in the Middle (MitM) proxy ZAP is able to observe a large amount of potentially very sensitive information.| Frequently Asked Questions on ZAP
ZAP supports: HTTP active and passive scanning. WebSockets passive scanning. For a full list of the HTTP active and passive scan rules see the Alert Details page. By default ZAP comes with the following (HTTP) scan rules: Release Active Scan Rules Release Passive Scan Rules Retire.js DOM XSS Active Scan Rule But you can also download and install:| Frequently Asked Questions on ZAP
ZAP should be able to run with all/newer Java versions, but might require a minimum for certain ZAP versions: ZAP 2.16.0 and later requires a minimum of Java 17 ZAP 2.12.0 and later requires a minimum of Java 11 ZAP 2.7.0 and later requires a minimum of Java 8 ZAP 2.0.0 and later requires a minimum of Java 7 Previous versions of ZAP also support Java 6, the last of those being 1.4.1| Frequently Asked Questions on ZAP
User Guide The User Guide (which is also included with ZAP) is a good place to start. User Group The User Group is the best place for questions about using ZAP.| Frequently Asked Questions on ZAP
| Frequently Asked Questions on ZAP
ZAP is installed in different places depending on the OS. The install directory contains everything that’s bundled with ZAP originally. Windows 7 / 8 / 10 Underneath the Program Files directory, e.g.| Frequently Asked Questions on ZAP
We know that many Antivirus (AV) tools flag ZAP and some of the ZAP add-ons. For example the ZAP 2.15 Windows installer was flagged by 3 / 63 security vendors. In particular the Active Scan Rule add-on is often flagged: v65 was flagged by 10 / 63 security vendors. Detecting viruses is hard, especially as viruses try to disguise themselves. This means that AV tools try to detect potentially malicious activity or code.| Frequently Asked Questions on ZAP
You have automated ZAP to attack your site but then you see that there are other domains in the Sites Tree or in the report. Does this mean ZAP has attacked those other domains? No. ZAP will only attack the sites you specify. However, the AJAX Spider and the DOM XSS Scan Rule both launch browsers. We allow the browsers to access certain off domain resources such as JavaScript files - blocking these often breaks the target sites and mean the AJAX Spider or DOM XSS Scan Rule would not work.| Frequently Asked Questions on ZAP
OK, so this question doesn’t get asked all the time, but it does come up every so often. So here’s the official response: Firstly, do you really need ZAP rewritten? ZAP supports all of the JSR 223 scripting languages, so you can already extend ZAP in a very wide range of scripting languages, including JavaScript, Jython, and Jruby.| Frequently Asked Questions on ZAP
We rely on people like yourself to translate ZAP into other languages. If your language is not available then it means that we, the developers, unfortunately don’t speak your language well enough to translate it and no one else has volunteered. However you can help :) Get in touch with us if you want to translate ZAP into another language, we’d love to hear from you!| Frequently Asked Questions on ZAP
ZAP doesn’t just throw a load of payloads at a target to see what happens :) The payloads are targeted based on the responses to other payloads so that it hopefully zeros in on specific vulnerabilities. However there a various options: Try out the custom payloads add-on which is supported by some of the existing rules Change the existing rules to improve them - this blog post is a good place to start: Hacking ZAP: Active Scan Rules - if you do improve them then please submit pull requests :...| Frequently Asked Questions on ZAP
In this case prevention is definitely better than cure. By default when you use the ZAP spider and active scanner then ZAP will access all of the URLs, forms, and functionality it can find. If one of those results in your application sending emails then someone is going to get a LOT of emails. (Consider other scenarios like sending orders, HR actions, helpdesk tickets, etc.)| Frequently Asked Questions on ZAP
False positives are where ZAP raises alerts for things that are not really vulnerabilities. You should make sure that you understand the potential vulnerability being reported and manually test it before concluding that it is not a real vulnerability. Please report any false positives that you identify supplying as much information as you can, while obfuscating any sensitive information. New issues should just cover one scan rule and should include enough information for us to reproduce the p...| Frequently Asked Questions on ZAP
False Negatives are where ZAP fails to identify an issue when it should. Reporting these problems to us for passive scan rules is straightforward - just let us know the full request and/or response that ZAP should have raised the problem for. Reporting problems with active scan rules is a bit more tricky, as ZAP will potentially send several requests to detect a specific problem and we need to know how your application responded to each one.| Frequently Asked Questions on ZAP
Scan rules are defined in add-ons so they can be updated and published whenever they are improved. However this may be less frequently than you might expect, and there are good reasons for that. Some security tools focus on finding known vulnerabilities in known applications. New vulnerabilities are being found all of the time so the rules for these tools need to be frequently updated. These rules are often quite simple, they just need to detect that you are running a specific version of an a...| Frequently Asked Questions on ZAP
Proxying (and therefore passive scanning) requests via ZAP is completely safe and legal, it just allows you to see whats going on. Spidering is a bit more dangerous. It could cause problems depending on how your application works. Note that there is an Spider option to not use POST requests - this may be safer but is also likely to reduce the effectiveness of the Spider.| Frequently Asked Questions on ZAP
ZAP is a free tool designed to help everyone secure their own websites. Unfortunately this means that other people can use it to attack your website as well. ZAP is not designed to be a covert tool - it uses various variations of “ZAP” in its attacks, so if someone does use ZAP to attack your site then this should be apparent in your web server logs.| Frequently Asked Questions on ZAP
If ZAP fails to detect a known problem then please let us know! Obviously the more information you can give us the better, and the best option would be a simple one page ‘proof of concept’ in the form of a wavsep test - we can then include those in our regression tests.| Frequently Asked Questions on ZAP
As root create a file called /usr/share/applications/owasp-zap.desktop containing: [Desktop Entry] Name=OWASP ZAP Exec=/opt/owasp/ZAP_2.8.0/zap.sh Icon=/opt/owasp/ZAP_2.8.0/zap.ico Categories=Programming;Security; Type=Application Make sure you correct the paths to match your environment!| Frequently Asked Questions on ZAP
By default ZAP will now also only allow connections from the local machine. You can set which IP addresses can connect to the API using the command line: -config api.addrs.addr.name=123.456.789.123 If you are using ZAP in a completely isolated environment you can allow all IP addresses to connect to the ZAP API using:| Frequently Asked Questions on ZAP
You’ll need to generate a root CA certificate. Export it into a file. Import it in to the JRE cacerts keystore. Assuming the Java keytool is on the system path, JAVA_HOME is set to the location of a JRE and the ZAP Root CA cert is exported to “~/zap_root_ca.cer”, then the command is:| Frequently Asked Questions on ZAP
GET requests can be easily imported into ZAP using the “Import URLs” option which is included in ZAP by default. However this only supports GET requests. If you need to import POST requests, or requests using other HTTP methods like PUT and DELETE, then you have a selection of options:| Frequently Asked Questions on ZAP
Again, this depends on the OS: Windows There are 3 options on Windows: Via the desktop icon (assuming you selected this option during installation) Via the ‘Start’ menu: All Programs OWASP Zed Attack Proxy ZAP <version> Via the ‘zap.bat’ command line script in the installation directory Linux On Linux there’s just a ‘zap.sh’ script in the installation directory, although you can create a desktop icon manually as well.| Frequently Asked Questions on ZAP
To add a script you’ll need to use the following command line options (with the values changed to match your requirements of course;) -config script.scripts.name="Remove Strict-Transport-Security" -config script.scripts.engine="Mozilla Zest" -config script.scripts.type=proxy -config script.scripts.enabled=true -config script.scripts.file="/home/user/scripts/Remove Strict-Transport-Security.zst" See also the FAQ: How do you find out what key to use to set a config value on the command line?| Frequently Asked Questions on ZAP
ZAP logs to a file called “zap.log” in the ZAP ‘home’ directory. The logging is configured by the log4j2.properties file in the same directory. By default the ‘main’ logging levels are set to info by these lines: logger.paros.name = org.parosproxy.paros logger.paros.level = info logger.zap.name = org.zaproxy.zap logger.zap.level = info Changing these to debug (and restarting ZAP) will significantly increase the amount of logging performed:| Frequently Asked Questions on ZAP
ZAP has no problems scanning applications running on localhost, however there are a couple of things you need to be aware of. By default ZAP listens on port 8080. If your app also listens on 8080 then you’ll need to change one of them to listen on a different port - it’s probably easier to change ZAP using the Options Local Proxies screen, remember to change your browser’s proxy settings as well: Configuring Proxies.| Frequently Asked Questions on ZAP
The ZAP command line allows you to set individual values as follows: -config api.key=12345 -config network.connection.timeoutInSecs=60 How can you find out what keys to use to set the values you want? The keys are a dot notation of the XML used in the config.xml file. One way to find out which value you need to change is:| Frequently Asked Questions on ZAP
First of all try checking the ‘Enable unsafe SSL/TLS renegotiation’ checkbox in the Certificate Options screen and trying again. Second check if you’ve enabled SSLv2Hello in the outbound connection options. If so, disable SSLv2Hello and reload the content to see if the issue is resolved. If this doesn’t help and an HTTPS site reports a handshake failure then try installing the ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’:| Frequently Asked Questions on ZAP
There are a number of ways to accomplish selective proxying. 1 - Via a Browser Add-on/Extension Such as FoxyProxy: https://getfoxyproxy.org/ 2 - Via Global Exclusions Leveraging Global Exclusions you can specify URLs that ZAP should not intercept. 3 - Via a PAC (Proxy Auto-Config) File You can create your own PAC (Proxy Auto-Config) file and dynamically set proxying as you need, then point your browser at it on your harddrive using the file:/// scheme. For example: functionFindProxyForURL(url...| Frequently Asked Questions on ZAP
This is usually not a ZAP problem. Is your web application actually running? Can you connect to it using the IP address rather than the FQDN or hostname? Can you connect to your application from the same machine using another tool like curl? If you are using one of the ZAP Docker images then be aware that using Docker will change the networking. In this case make sure that you run curl from the Docker image, e.g. using a command like:| Frequently Asked Questions on ZAP
Yes, see this video from ZAPCon 2021: These videos from @SecureCloudDev: Setting up ZAP for Android Setting up ZAP for iPhone/iPad And these articles: Intercepting Android traffic using OWASP ZAP - TheZero blog Four Ways to Bypass Android SSL Verification and Certificate Pinning - NetSPI Blog Debugging iOS apps with Zaproxy - Omer Levi Hevroni’s blog - Via The Way Back Machine| Frequently Asked Questions on ZAP
If you have questions about using ZAP to test your app or site based on a specific framework or technology, please ask in the User Group. General Single Page Apps -SPAs Vaadin Apps| Frequently Asked Questions on ZAP
If you have questions about using ZAP to test a specific vulnerable app, that isn’t answered here, please ask in the User Group. Damn Vulnerable Web App OWASP Pixi Juice Shop (on another site)| Frequently Asked Questions on ZAP
Yes, and there’s an excellent description of how to do that written by Bill Sempf: https://www.sempf.net/post/Pentesting-Windows-8-Metro-Apps-with-Zed-Attack-Proxy| Frequently Asked Questions on ZAP
This seems to come up on various Linux distros from time to time. For example: https://github.com/zaproxy/zaproxy/issues/3051 The following suggestions may let you work past the issue. Try starting ZAP from the command line instead of starting it from a shortcut (such as a Plasma/KDE button, dock icon, etc.) Try adding the following to /etc/environment: _JAVA_OPTIONS='-Dawt.useSystemAAFontSettings=on'| Frequently Asked Questions on ZAP
If ZAP is displayed in a really tiny window then it’s probably because you have a high DPI display. We believe High DPI displays and ZAP should behave properly with Windows and Java 11+. If you’re using Windows and encounter an issue then you can set the compatibility settings:| Frequently Asked Questions on ZAP
You can use ZAP to perform security regression tests on your own products. Note that this answer is very basic and WILL need to be improved ;) You need to have installed Java and ZAP. To launch ZAP from a Java program you can do something like: ProcessBuilder pb =new ProcessBuilder("/home/myuser/fullpath/ZAP 2.9.0/zap.sh"); // full path to script, use zap.bat on Windowspb.directory(new File("/home/myuser/fullpath/ZAP 2.9.0/")); // directory where the script is inProcess p = pb.start(); Note t...| Frequently Asked Questions on ZAP
You can maximise any tab in ZAP by double clicking on it - that tab will now take up all of the ZAP window. To see the other sets of tabs double click any of the tabs again.| Frequently Asked Questions on ZAP
ZAP understands API formats like JSON and XML and so can be used to scan APIs. The problem is usually how to effectively explore the APIs. There are various options: If your API has an OpenAPI/Swagger definition then you can import it using the OpenAPI add-on. If your API uses GraphQL then you can explore it using the GraphQL add-on. If your API has a WSDL then you can import it using the SOAP add-on. If you have a list of endpoint URLs then you can import these using the Import files contain...| Frequently Asked Questions on ZAP
Certificate pinning also known as Public Key Pinning “is a mechanism for sites to specify which certificate authorities have issued valid certs for that site, and for user-agents to reject TLS connections to those sites if the certificate is not issued by a known-good CA.” Sites that use certificate pinning will typically not be loaded in your browser if you are proxying it through ZAP.| Frequently Asked Questions on ZAP
There are three ways to do this: 1 - Via the Marketplace Click the Marketplace button in the main toolbar: The Installed tab now displays a column including the current version. This adds clarity if/when an update is available as the bottom panel displays the details for the update: 2 - Via the Help Menu From the Help menu select “Support Info…” Copy the entire contents or find the specific add-on you’re interested in. 3 - Via the CLI zap.bat -suppinfo or zap.sh -suppinfo will produce...| Frequently Asked Questions on ZAP
The information in this FAQ is based on details from: This user group thread The Vaadin framework makes heavy use of JavaScript, so it seems the Ajax Spider is the way to go. As you work to figure things out and get them configured correctly it makes sense to starting by proxying your browser through ZAP, identifying the http session and then flagging it as the ‘active session’ before starting the Ajax Spider.| Frequently Asked Questions on ZAP
As discussed in https://github.com/zaproxy/zaproxy/issues/5469, this issue seems to occur when laptops are docked. (The work around is to un-dock your system.) This is the same as https://github.com/oracle/visualvm/issues/84 which links to https://bugs.openjdk.java.net/browse/JDK-8223158 This issue is unfortunately outside the control of the ZAP team.| Frequently Asked Questions on ZAP
ZAP should run on all operating systems that support Java 17 - it can even run on a Raspberry Pi! If you experience any problems running ZAP then please report them to us.| Frequently Asked Questions on ZAP
ZAP includes the following classifications for all of the vulnerabilities it finds wherever possible: WASC Threat Classification MITRE’s Common Weakness Enumeration| Frequently Asked Questions on ZAP
Java has problems with ’non standard’ window managers. If you have changed from one of the main window managers and are seeing blank windows when you use ZAP then see https://wiki.haskell.org/Xmonad/Frequently_asked_questions#Problems_with_Java_applications.2C_Applet_java_console for potential solutions.| Frequently Asked Questions on ZAP
When you proxy via ZAP you will often see that some of the Ids in the History tab are ‘missing’, e.g. it will jump from 1 to 4 etc. The missing Ids do not refer to ‘hidden’ requests that ZAP is making. Instead those requests (which are not sent at all) are generated by ZAP for “internal” use only. They are used to show a “GET” request when “directory” nodes of the “Sites” tab, not yet (manually) accessed, are selected.| Frequently Asked Questions on ZAP
If the Quick Start Attack fails with the message: Failed to attack the URL, please check that the URL is valid then the first thing to do is check your URL in a browser. If it works ok then open the ZAP Manual Request Editor, replace the default URL with the one you are trying and send the request.| Frequently Asked Questions on ZAP
Since version 2.4.1 ZAP has required an API key by default in order to invoke API operations that make changes to ZAP. Since version 2.6.0 an API key is required by default in order to invoke any of the API operations. This is a security feature to prevent malicious sites from invoking the ZAP API. ZAP version 2.6.0 also introduced additional security options. All of the API security options, including the API key, can be found in the API Options screen.| Frequently Asked Questions on ZAP
The Automation Framework supports variables, which includes environment variables. You can use these to set values referenced in your plan from the command line, including secrets such as credentials. To see this in action download the ScriptEnvVarAccess.yaml plan and store it in your current working directory. Edit the script and change PATH to MyVar.| Frequently Asked Questions on ZAP
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers. A GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers. A GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org