Questions tagged [zap]

OWASP Zed Attack Proxy (ZAP)

Filter by
Sorted by
Tagged with
33votes
3answers
63kviews

Adding authentication in ZAP tool to attack a URL

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
user avatar
6votes
1answer
5kviews

OWASP ZAP - how to "prove" false positives?

Our customer requires us to run the OWASP ZAP tool against our web application (ASP.NET 4.5.2, Webforms) and we cannot have any high priority findings in the report. We've done the analysis, and ...
user avatar
  • 700k
5votes
1answer
4kviews

Can ZAP be used for SPA application

I have a SPA application (angularjs front end/restfull WebAPI back end). SPA is by design using client routing - i.e. typical "page" looks like http://contosco.com#/page1 http://contosco.com#/page2 ...
user avatar
5votes
1answer
2kviews

Can Owasp Zap be used to proxy all http and https traffic through an HTTPS connection?

I've just started using Zap, and am successfully running it in Firefox and Chrome. I'd like to use it to automatically serve it's SSL cert for non https sites as well. So for example, I'd like it to ...
user avatar
  • 59.3k
4votes
1answer
12kviews

OWASP's ZAP and the Fuzz ability

My scenario: I navigate to a login page. I put in a known username with a bad password. ZAP picks this up no issue. I select the POST to the login page. I find the lines that contain the Username ...
user avatar
4votes
1answer
6kviews

Passive Scan in OWASP ZAP

I have started learning OWASP ZAP and I am confused about passive scanning in OWASP ZAP. On right clicking the node in Site tree I do not see any passive scanning option, however under Tools | ...
user avatar
  • 135
4votes
2answers
12kviews

Owasp Zap Testing rest api

Is that possible to testing rest-api via OWASP ZAP ? Url to attack worked just for GET requests. For example, my api controllers work with only token. I have TokenController and this controller ...
user avatar
4votes
1answer
2kviews

NTLM authentication in ZAP

I'm trying to do some penetration testing of REST Api using ZAP. Api uses windows authentication [domain\username] and is hosted locally on a specific port. First I did a test using postman to try to ...
user avatar
  • 147
4votes
0answers
638views

How to scan particular URL or page alone in owasp zap

I have installed OWASP ZAP 2.8.0 and scan our site fully. In result we got some SQL injection URL's or pages. So We have fixed that SQL injection issues in development which is mentioned OWASP tool. ...
user avatar
4votes
0answers
1kviews

How to use Postman with OSWAP Zap Proxy?

I'm trying to explore a REST API using ZAP and Postman but I get an error probably because I didn't set up something right. Should I add the SA certificate from ZAP to Postman? Could not get any ...
user avatar
  • 1,548
4votes
0answers
1kviews

Selenium and Cucumber proxy setting (cucumber.xml or CucumberRunner)

Trying to set proxy (to OWASP ZAP Proxy port) in Cucumber via property, but to no available. cucumber.xml <beans profile="firefoxRemote"> <bean name="capability" init-method="...
user avatar
  • 995
4votes
1answer
3kviews

Import root CA in chromedriver (Selenium)

I have tried and searched almost everything but still didn't find an answer to import a root CA into chromedriver while running my Selenium test. Small background info: I am running regression tests ...
user avatar
3votes
1answer
5kviews

OWASP ZAP scan returns "Application Error Disclosure" to javascript library. Is it false positive? How to proove that or fix?

After automatic scan with OWASP ZAP 2.8.0 I have "Application Error Disclosure" with javascript file (moxiejs library). Site is based on wordpress updated to the newest version. How to fix this ...
user avatar
  • 58
3votes
1answer
1kviews

Exclude URL in ZAP proxy scanning run as daemon

How can I exclude certain URL from ZAP proxy scanning when starting it in daemon mode with following command: zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.addrs.addr.name=.* -config api.addrs....
user avatar
3votes
1answer
3kviews

SESSION_COOKIE_HTTPONLY = True not working in Django:

I have set the following code in my settings.py: SESSION_COOKIE_HTTPONLY = True even though the docs say this is default. Then I use ./manage.py runserver and run OWASP Zap scanner on the site. But ...
user avatar
  • 4,278
3votes
2answers
2kviews

Utilizing ZAP for RESTAPI testing

I'm curious as to how ZAP can be used to test RESTAPIs in the context of API security. Is it just the OpenAPI add on that can be used or are there other(more effective) methods?
user avatar
  • 41
3votes
2answers
4kviews

ZAP Authentication using API calls

I am using ZAP API calls to test a site using command line. But I have a problem with the user authentication even though I am following the correct steps. But I still can't manage to pass the login ...
user avatar
3votes
2answers
4kviews

OWASP ZAP can not test API

I am currently trying to scan the API with zap. I downloaded the pet shop example from https://editor.swagger.io/ and set up a server with spring. Now I want to scan this API with a Jenkins build job. ...
user avatar
  • 759
3votes
1answer
3kviews

How to use OWASP ZAP for MiTM attack on Android?

I know that I have not handled MiTM in my Android application and it might be vulnerable. I want to test scenario by connecting my Android phone via proxy (my laptop) and using any possible tools to ...
user avatar
3votes
3answers
6kviews

OWASP Zap Exclude in Proxy everything but given URL

My question is pretty straightforward I want to exclude from proxy everything but this 2 URLS, just want to see the traffic of 1 site. http://www.timetosa.com and https://www.timetosa.com This is ...
user avatar
  • 1,749
3votes
2answers
3kviews

Pass login parameters to scan with owasp zap on docker command

I'm trying to execute a command to attack an application with login but I dont know how to pass my user and password to the url. The login sends a post with user and password to verify if exist. ...
user avatar
3votes
1answer
1kviews

owasp zap how to check vulnerabilities of post request

I have to check if my endpoint REST POST have or not some vulnerabilities. I'm using owasp zap for the first time. If I try to check my endpoint that is a REST POST just inserting the url in the ...
user avatar
  • 161
3votes
2answers
3kviews

ZAP keeps scanning unnecessary URLs

What I'm doing is: Starting ZAP to listen on some port zap.bat -daemon -host localhost -port 2355 -config api.disablekey=true Starting new session curl -X GET "http://localhost:2355/JSON/core/...
user avatar
  • 1,318
3votes
1answer
137views

ZAP Attack proxy History Request ID is not consecutive

I've used ZAP to intercept traffic . Works nicely and I have a history for my REQUEST - RESPONSE pairs like this: ID Req. TimeStamp Method etc .. ... 1955 Tue Apr 05 ...
user avatar
3votes
1answer
913views

How can we integrate Owasp ZAP & Cypress?

Is there any way we can integrate Owasp Zap security testing tool with Cypress?
user avatar
  • 31
3votes
0answers
266views

I am trying to Automate security testing of web applications using owasp ZAP in jenkins.I am getting the following issue

The issue is as follows: 5825 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing... 5854 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting ...
user avatar
3votes
1answer
957views

How do I setup OWASP Zap as an MITM proxy to debug HTTP web service calls?

I want to capture HTTP requests and responses on OS X. The requests are being sent from a Ruby-on-Rails server to an Elasticsearch server, thus I cannot use the builtin logging provided by Chrome or ...
user avatar
2votes
1answer
5kviews

zaproxy: unable to find image 'in:latest' locally

I followed example from : https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html install Docker on my Mac executed docker pull owasp/zap2docker-weekly executed example: docker run -t owasp/...
user avatar
  • 332
2votes
1answer
1kviews

OWASP ZAP not showing requests to images in history view

I'm investigating some strange behavior in a web application where something is generating requests that shouldn't be there. Since the principal action triggering these requests opens a new browser ...
user avatar
  • 8,422
2votes
1answer
3kviews

Enumerating Subdirectories Using ZAP

I am using ZAP 2.7.0 and I would like to enumerate possible files/directories within a subdirectory of a given site. There is the DirBuster tool, which is not available in the market place anymore. ...
user avatar
2votes
1answer
370views

Owasp zap tool - How to get a list of passed and failed tests?

I'm using OWASP ZAP to scan a web application. After scanning I can export alerts I got as a PDF file. This PDF file includes only Alerts. The question is can I get a full list of all tests that ...
user avatar
2votes
1answer
5kviews

Form Based Authentication OWASP ZAP for HTTPS application

I'm trying to use Form-Based Authentication feature of OWASP ZAP using ZAP's python API. I noticed that while using a HTTP application (for example - http://demo.testfire.net/) it is able to spider ...
user avatar
  • 23
2votes
1answer
345views

Can we single out an alert say "Web Browser XSS Protection Not Enabled" and rerun in ZAP Proxy

Context : We used OWASP Zed Attack Proxy version 2.7.0 to do vulnerability tests of an application. We got a few alerts, and is doing the resolution. Problem : We wanted to single out an alert say ...
user avatar
  • 1,139
2votes
1answer
144views

How to intercept and modify the response to a docker using owasp zap

I have docker application running on my desktop and also OWASP zap also running on my desktop. how would i configure OWASP ZAP so that any request going out will be intercepted and response be ...
user avatar
  • 6,187
2votes
1answer
1kviews

Header Based Authentication in Owasp zap

I am trying to implement Owasp Zap scan. But I am unable to find script for header authentication How to add header authentication for the key value pair e.g key =api-key value = 123 docker run --...
user avatar
  • 21
2votes
2answers
1kviews

How to capture HTTP request in OWASP ZAP

I need to scan some APIs that only available on HTTP protocol. Let's say I'm testing http://example.com, I did follow commands export http_proxy=localhost:8080 export https_proxy=localhost:8080 curl ...
user avatar
2votes
1answer
1kviews

How to define our own ZAP active rule?

we want to use ZAP to scan our site vulnerability issues is there any way to define our own active rule for our business..? for example, we want to check is there any javascript post any data to the ...
user avatar
2votes
1answer
2kviews

ZAProxy: 400 HTTP response when attack on localhost:8080

I installed ZAProxy and FireFox, ensuring that the proxy is set correctly and is the same for both tools, localhost and 8080. I have a web app named openemr currently running on an XAMPP Apache server,...
user avatar
2votes
1answer
1kviews

How to check if ZAP reports/alerts have been generated after scan?

I'm currently interacting with ZAP using the REST-API (using Groovy as a language). What I want to achieve is to start a scan and retrieve the results once the scan has finished. I'm currently ...
user avatar
2votes
1answer
87views

when password will be encrypted while logging in?

While logging into a webpage (for example gmail), at which point those credentials will be encrypted?? In my case: Actually I have used ZAP proxy to analyze traffic going through my browser. When I ...
user avatar
  • 135
2votes
1answer
553views

Unable to apply alert filter on alerts created in zap

I integrated ZAP scans (by proxying e2e tests) in our CI pipelines. I'm checking alert filter plugin to flag false positives. Due to organisational requirements we are supposed to generate two zap ...
user avatar
  • 265
2votes
1answer
483views

How to execute selenium script using Zap Plugin in jenkins

I have a problem with Zap plugin in Jenkins. Assume I have my selenium script wrriten in java , it will launch a browser and set a proxy automatically. What I need is to launch selenium java code from ...
user avatar
  • 393
2votes
1answer
4kviews

How to get CSRF token on authorization request with OWASP ZAP in bruteforce mode

I am a new in OWASP ZAP, so I need your help. I have vulnerability site - DVWA. I am trying to work on token (CSRF) in bruteforce. When page load I have HTML form with login, password and user-token....
user avatar
2votes
0answers
122views

How to integrate a task to perform OWASP ZAP scan with authentication in Azure DevOps release pipeline?

The requirement is to perform OWASP ZAP scan for a website that requires authentication in Azure DevOps release pipeline. Unable to find ways to perform this for an authenticated webpage. Please guide ...
user avatar
2votes
1answer
199views

ZAP Passive scan rules are part of scan even after disabing them

I am using ZAP docker image to perform API scans. I have disabled some passive scan rules in zap_started hook python script. Still, these are listed as part of the final report. Script to disable ...
user avatar
  • 61
2votes
0answers
1kviews

How to solve/fix DOM XSS issue reported by OWASP ZAP?

I am using OWASP ZAP to scan my web-application, developed using asp.net framework/C#. I am being tasked by company to ensure NO error reported by OWASP ZAP. The OWASP ZAP reported this log: Issue: ...
user avatar
  • 31
2votes
1answer
394views

ASP.NET MVC 5 Azure App ZAP Scan indicates Proxy Disclosure vulnerability - how can we prevent that?

The ZAP scan report indicates that 2 proxy servers were detected or fingerprinted. It says it did both a GET and POST method to our url with attacks of TRACE, OPTIONS with Max-Forwards header, and ...
user avatar
2votes
0answers
366views

OWASP ZAP Ajax Spider URL parameter issue

I'm trying to use ZAP to do an AJAX Spider on my web app and am trying to understand a couple of things. When running the AJAX spider, it hits a URL structure of mydomain.com/profile and the spider ...
user avatar
  • 1,804
2votes
1answer
1kviews

Jenkins Docker Sidecar with Container Running a daemon command

I want to run ZAP as a proxy in my pipeline, and run my selenium tests through the proxy. Im just using curl in a container in place of selenium for my testing and was able to make this work locally ...
user avatar
2votes
0answers
3kviews

ZAP API scan error using zap-api-scan.py

In my CI setup I use the following command: docker run -v /etc/hosts:/etc/hosts -v $(pwd):/zap/wrk:rw -t owasp/zap2docker-weekly \ zap-api-scan.py -t openapi.json -f openapi -c .zap-...
user avatar

15 30 50 per page
1
2 3 4 5
10