2

I'm using OWASP ZAP to scan a web application. After scanning I can export alerts I got as a PDF file. This PDF file includes only Alerts. The question is can I get a full list of all tests that passed and failed while scanning the app ? I know I can use ZAP's API to get all the scan rules, but it's not really what I need. I need a report that shows all test that passed and failed. Something like this :

| Test name | Passed / Failed |
| Test nr1 | Passed |
| Test nr2 | Failed |

Daniel Cretu
  • 21
  • 2

1 Answers1

3

There is no such thing as a passed test in OWASP ZAP (and actually all others security dynamic testing tools). OWASP ZAP holds a set of attack vectors and puts them into different requests to the tested applications. When it finds a vulnerability - good. It will be reported. If not - well, it does nothing. Having not found anything does not prove that there is no vulnerability. Simply there is nothing to report.

Having said that, it is always a good idea to manually look over the history of generated requests yourself to see, if the applications does its job correctly. Also look at the URLs ZAP is accessing. Is it what you wanted to test? Common mistake that makes me cry is pentesting the login screen because you have not configured authentication correctly.

danronmoon
  • 3,814
  • 5
  • 34
  • 56
Marek Puchalski
  • 3,286
  • 2
  • 26
  • 35