Access Control Status Tab The Access Control Status Tab allows starting of new Access Control testing and displays the results obtained. For each User and for each URL attacked by ZAP, an entry is added with information about: ZAP’s id of the message sent the HTTP method used the URL of the resource the HTTP status code of the response the User from whose point the resource was accessed whether the request was identified as being authorized or not the access rule used, which was either dire...| The ZAP Homepage on ZAP
Active Scan dialog This dialog launches the active scanner. Scope The first tab allows you to select or change the starting point. If you have more that one scan policies then you will be able to select the one to use. If the starting point is in one or more Contexts then you will be able to choose one of them. If that context has any Users defined then you will be able to select one of them. If you select one of the users then the active scan will be performed as that user, with ZAP (re)auth...| The ZAP Homepage on ZAP
Ajax Spider Automation Framework Support This add-on supports the Automation Framework. Job: spiderAjax The spiderAjax job allows you to run the Ajax Spider - it is slower than the traditional spider but handles modern web applications well.| The ZAP Homepage on ZAP
All In One Notes - About Source Code https://github.com/zaproxy/zap-extensions/tree/main/addOns/allinonenotes Authors David Vassallo| The ZAP Homepage on ZAP
API Policy A policy focusing on issues likely to impact APIs and not UI. For the list of scan rules included see the Alert Tag: POLICY_API page. Return to main scan policies page.| The ZAP Homepage on ZAP
Authentication Request Identification This add-on includes a passive scan rule which attempts to identify authentication requests. It identifies authentication requests by the presence of commonly used username and password field names. It also uses commonly used URL segments to identify more likely authentication requests, and uses commonly used registration URL segments to ignore registration requests.| The ZAP Homepage on ZAP
Automation Framework - GUI The Automation Framework has a GUI that is in the process of being developed. Automation Tab This tab allows you to create, load, edit and run automation jobs. It has 2 sub tabs.| The ZAP Homepage on ZAP
Automation Framework Support This add-on supports the Automation Framework. Job: import The import job allows you to import HAR (HTTP Archive File), ModSecurity2 Logs, ZAP Messages or a file containing URLs locally.| The ZAP Homepage on ZAP
Automation Framework Support This add-on supports the Automation Framework. Job: sequence-import The sequence-import job allows you to create a Sequence from an HAR file.| The ZAP Homepage on ZAP
BOAST Options The BOAST Options screen allows you to configure the settings that affect how ZAP interacts with BOAST servers. Server URI This address should point to the URI that will be used for registrations and polling.| The ZAP Homepage on ZAP
Callback Options The Callback Options screen allows you to configure the address used to detect vulnerabilities that allow an attacker to call remote URLs. In previous versions the ZAP API was used for this purpose, but from 2.6.0 onwards a separate endpoint is used so that target systems no longer need access to the API.| The ZAP Homepage on ZAP
Client Certificates This screen allows you to add a client certificate to use when testing applications protected using mutual SSL. After adding the certificate it can be set as active in the KeyStore tab. Unlike other options screens, the changes done to the keystore are not undone if the Options dialogue is cancelled.| The ZAP Homepage on ZAP
Client Side Integration - Automation Framework Support This add-on supports the Automation Framework. Job: spiderClient The spiderClient job allows you to run the Client Spider, which is designed to explore modern web apps more effectively.| The ZAP Homepage on ZAP
Command Line Quick Start add-on supports the following command line options: -quickurlSpecifies the URL of the target application that will be attacked. -quickoutSpecifies the file to write the report to. The report format will depend on the file extension - supported file extensions are .html , .json , .md , .xml . If none of these extensions are used then the format will be XML. If not set in ‘inline’ and daemon modes the report is written to default output stream. -quickprogressShow as...| The ZAP Homepage on ZAP
Context Alert Filters Context Alert Filters allow you to automatically override the risk levels of any alerts raised by the active and passive scan rules within a context. The Alert Filters will be exported and imported with the context - they will not persist over ZAP sessions unless the context is imported again.| The ZAP Homepage on ZAP
Custom Payloads API The following views are available via the API: Views customPayloads(category): Lists all the payloads currently loaded (category, payload, enabled state). Optionally filtered by category. customPayloadsCategories: Lists all the available categories. Actions addCustomPayload (category*, payload): Adds a custom payload (enabled when added). disableCustomPayloads(category): Disables custom payloads. Optionally limited by category. (No category means all) enableCustomPayloads(...| The ZAP Homepage on ZAP
DOM XSS Active Scan Rule - About Source Code https://github.com/zaproxy/zap-extensions/tree/main/addOns/domxss Authors Aabha Biyani, and the ZAP Dev Team| The ZAP Homepage on ZAP
GraphQL Options In this document, a ‘Query’ may refer to a GraphQL query, subscription or mutation. Query Generator Configuration The query generator uses the imported schema to generate queries for the target endpoint. If enabled, it may be configured with the following options.| The ZAP Homepage on ZAP
Groovy Support - About Source Code https://github.com/zaproxy/zap-extensions/tree/main/addOns/groovy Authors ZAP Dev Team| The ZAP Homepage on ZAP
gRPC Variant The gRPC variant allow injecting payloads in gRPC values (Active Scan Input Vector support). Active Scan Input Vectors Custom Values are injected into all key-value pairs in all gRPC values that are proxied through ZAP.| The ZAP Homepage on ZAP
Image Location and Privacy Scanner - About Source Code https://github.com/zaproxy/zap-extensions/tree/main/addOns/imagelocationscanner https://github.com/veggiespam/ImageLocationScanner Authors Veggiespam and the ZAP Dev Team| The ZAP Homepage on ZAP
Interactsh Options The Interactsh Options screen allows you to configure the settings that affect how ZAP interacts with Interactsh. Server URL This address (provided by the user) should point to the URL that will be used for registrations and polling.| The ZAP Homepage on ZAP
Manual Request Editor dialog This dialog allows you to create a HTTP request from scratch which will be submitted to the specified target, or resend an existing HTTP request after making any changes to it that you want to. Request tab This shows the request header and data, either in one or two panels depending on the options chosen.| The ZAP Homepage on ZAP
Network API The following operations are added to the API: Actions addAlias (name* enabled): Adds an alias for the local servers/proxies. name: The name of the alias. enabled: The enabled state, true or false. addHttpProxyExclusion (host* enabled): Adds a host to be excluded from the HTTP proxy. host: The value of the host, a regular expression. enabled: The enabled state, true or false. addLocalServer (address* port* api proxy behindNat decodeResponse removeAcceptEncoding): Adds a local serv...| The ZAP Homepage on ZAP
OAST Tab This tab shows a summary of the out-of-band messages discovered by ZAP. Messages For each message, you can see:| The ZAP Homepage on ZAP
OpenAPI Automation Framework Support This add-on supports the Automation Framework. The add-on will add OpenAPI definitions if they are found while spidering but adding them explicitly via a URL or local file is recommended if they are available. The targetUrl parameter works in the same way per ‘Target URL Format’.| The ZAP Homepage on ZAP
Options Active Scan screen This screen allows you to configure the active scan options: Number of Hosts Scanned Concurrently The maximum number of hosts that will be scanned at the same time. Increasing this may put extra strain on the computer ZAP is running on.| The ZAP Homepage on ZAP
Options Applications screen This screen allows you to configure the applications that can be invoked. By default there are no applications available, you need to add all of the applications that you want to use. Display Name The name that will be used for this application in ZAP.| The ZAP Homepage on ZAP
Options Encode/Decode screen This screen allows you to configure the Encode/Decode/Hash options: Base64 - Charset Allows the user to select which character set should be used for Base64 conversions.| The ZAP Homepage on ZAP
Options Forced Browse screen This screen allows you to configure the Forced Browse options: Concurrent scanning threads per host The number of threads the scanner will use per host. Increasing the number of threads will speed up the scan but may put extra strain on the computer ZAP is running on and the target host.| The ZAP Homepage on ZAP
Options Fuzzer screen This screen allows you to configure the fuzzing options: Default Category The category that will initially be selected when the Fuzz dialog is displayed.| The ZAP Homepage on ZAP
Options HUD screen Enable when using the ZAP Desktop When set the HUD will be injected into HTML responses when the ZAP Desktop is used. This defaults to true.| The ZAP Homepage on ZAP
Options Jython screen This screen allows you to configure the Python Scripting add-on. Configuration Options FieldDetailsDefaultConfig File Additional Python modules pathThe path to the directory with additional modules/libraries for Python scripting.(none)Key: jython.modulepath Values: file system path to the directory| The ZAP Homepage on ZAP
Options Port Scan screen This screen allows you to configure the port scan options: Highest port number to scan ZAP will start from 1 and work up to this port number. Selecting a high number will significantly increase the time a port scan takes.| The ZAP Homepage on ZAP
Options Token Generator screen This screen allows you to configure the Token Generator. Configuration Options FieldDetailsDefaultConfig File Number of ThreadsThe number of threads used during the token generation.5Key: tokengen.threadsPerScan Value: a non-negative integer. Request Delay (in milliseconds)The time to wait before sending each request, to avoid overloading the target server. Note: Given the high number of requests sent during the Token Generation increasing the delay might have a...| The ZAP Homepage on ZAP
Param Digger - About Authors ZAP Dev Team Arkaprabha Chakraborty| The ZAP Homepage on ZAP
Passive Scanner This screen allows you to configure the passive scanner. Configuration Options FieldDetailsDefaultConfig File Only scan messages in scopeSets whether or not the passive scan should be performed only on messages that are in scope.DeselectedKey: pscans.scanOnlyInScope Values: true or false Include traffic from the Fuzzer when passive scanningSets whether or not the passive scanning should be performed on messages generated by the Fuzzer.DeselectedKey: pscans.scanFuzzerMessages V...| The ZAP Homepage on ZAP
Passive Scanner API The following operations are added to the API: Actions clearQueue: Clears the passive scan queue. disableAllScanners: Disables all passive scan rules. disableAllTags: Disables all passive scan tags. disableScanners (ids*): Disables passive scan rules. ids: A comma separated list of scan rule IDs. enableAllScanners: Enables all passive scan rules. enableAllTags: Enables all passive scan tags. enableScanners (ids*): Enables passive scan rules. ids: A comma separated list of ...| The ZAP Homepage on ZAP
Passive Scanner Automation Framework - passiveScan-config Job This job allows you to manage the passive scan configuration. It is covered in the video: ZAP Chat 08 Automation Framework Part 2 - Environment. The passive scanner runs against all requests and responses that are generated by ZAP or are proxied through it. If you want to configure the passive scan configuration then you should typically do so before running any other jobs. However you can run this job later, or multiple times, if ...| The ZAP Homepage on ZAP
Plug-n-Hack Clients tab Plug-n-Hack allows you to monitor client (browser) events in order to help test HTML5 applications. In order to support as wide a range of modern browsers as possible this is implemented by injecting javascript into the response returned to the browser. As it means changing the response this functionality has to be manually enabled.| The ZAP Homepage on ZAP
Release 2.16.1 This is a bug fix release, along with some minor enhancements. This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP. These release notes do not include all of the changes included in add-ons updated since 2.16.0. The enhancements include:| The ZAP Homepage on ZAP
Replacer Automation Framework Support This add-on supports the Automation Framework. Job: replacer The replacer job allows you to add replacer rules.| The ZAP Homepage on ZAP
Retest - About Source Code https://github.com/zaproxy/zap-extensions/tree/main/addOns/retest Authors ZAP Dev Team| The ZAP Homepage on ZAP
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
Command Line To run ZAP via the command line, you will need to locate the ZAP startup script. Windows: C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat Note: The command line options are not used by the executable (zap.exe) only the bat file. Mac: /Applications/ZAP.app/Contents/Java/zap.sh Linux: zap.sh will be below the directory where ZAP was installed.| The ZAP by Checkmarx Desktop User Guide on ZAP
Paros Proxy ZAP is a fork of version 3.2.13 of the open source variant of Paros developed by Chinotec Technologies Company. The releases section details of the changes made to Paros. The source code is freely and publicly available as required by the Clarified Artistic License under which Paros was released.| The ZAP by Checkmarx Desktop User Guide on ZAP
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org
The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.| www.zaproxy.org