Stack Overflow
Stack Overflow

Questions tagged [zap]

OWASP Zed Attack Proxy (ZAP)

https://www.owasp.org/index.php/ZAP

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

548 questions
3
votes
1 answer

OWASP Zed Attack Proxy Scan in DevOps pipeline

My requirement is do the "Authenticated Scan" by using the TFS DevOps pipeline, for this I added the "OWASP Zed Attack Proxy Scan" extension under TFS and added the tasks in pipeline. also I installed the OWASP desktop app (2.11.1), pipeline working…
Saad Awan
  • 566
  • 2
  • 9
  • 23
3
votes
2 answers

Selenium script execution scanning by OWASP ZAP docker

I know one method is with "https://dzone.com/articles/automate-zap-security-tests-with-selenium-webdrive-1" But are there direct commands that can scan our selenium application execution by OWASP ZAP?. Run proxied OWASP ZAP on the…
a learner
  • 321
  • 1
  • 11
3
votes
2 answers

Utilizing ZAP for RESTAPI testing

I'm curious as to how ZAP can be used to test RESTAPIs in the context of API security. Is it just the OpenAPI add on that can be used or are there other(more effective) methods?
vuln3x
  • 41
  • 3
3
votes
1 answer

How can we integrate Owasp ZAP & Cypress?

Is there any way we can integrate Owasp Zap security testing tool with Cypress?
Nidhi
  • 31
  • 4
3
votes
1 answer

owasp zap how to check vulnerabilities of post request

I have to check if my endpoint REST POST have or not some vulnerabilities. I'm using owasp zap for the first time. If I try to check my endpoint that is a REST POST just inserting the url in the form on owasp zap, it gives me an error 405. So how…
Lulixter
  • 161
  • 1
  • 3
  • 12
3
votes
1 answer

OWASP ZAP scan returns "Application Error Disclosure" to javascript library. Is it false positive? How to proove that or fix?

After automatic scan with OWASP ZAP 2.8.0 I have "Application Error Disclosure" with javascript file (moxiejs library). Site is based on wordpress updated to the newest version. How to fix this vulnerabity? Or is it a false positive? Medium…
Ilona K
  • 58
  • 1
  • 7
3
votes
1 answer

Exclude URL in ZAP proxy scanning run as daemon

How can I exclude certain URL from ZAP proxy scanning when starting it in daemon mode with following command: zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true Is…
Mariusz Miesiak
  • 638
  • 1
  • 6
  • 19
3
votes
0 answers

I am trying to Automate security testing of web applications using owasp ZAP in jenkins.I am getting the following issue

The issue is as follows: 5825 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing... 5854 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider... 5854 [ZAP-SpiderInitThread-0] WARN…
Reshma k
  • 31
  • 4
3
votes
2 answers

ZAP keeps scanning unnecessary URLs

What I'm doing is: Starting ZAP to listen on some port zap.bat -daemon -host localhost -port 2355 -config api.disablekey=true Starting new session curl -X GET…
TEH EMPRAH
  • 1,828
  • 16
  • 32
3
votes
1 answer

ZAProxy: 400 HTTP response when attack on localhost:8080

I installed ZAProxy and FireFox, ensuring that the proxy is set correctly and is the same for both tools, localhost and 8080. I have a web app named openemr currently running on an XAMPP Apache server, and I can access it as…
buffalo_pentest
  • 31
  • 1
  • 2
3
votes
2 answers

Pass login parameters to scan with owasp zap on docker command

I'm trying to execute a command to attack an application with login but I dont know how to pass my user and password to the url. The login sends a post with user and password to verify if exist. command to atack. docker run --rm -v…
Pedro Mercado
  • 56
  • 1
  • 7
3
votes
1 answer

How to use OWASP ZAP for MiTM attack on Android?

I know that I have not handled MiTM in my Android application and it might be vulnerable. I want to test scenario by connecting my Android phone via proxy (my laptop) and using any possible tools to check for MiTM attack.
Hussain Mansoor
  • 2,934
  • 2
  • 27
  • 40
3
votes
1 answer

How do I setup OWASP Zap as an MITM proxy to debug HTTP web service calls?

I want to capture HTTP requests and responses on OS X. The requests are being sent from a Ruby-on-Rails server to an Elasticsearch server, thus I cannot use the builtin logging provided by Chrome or another browser. In my elasticsearch.yaml, I have…
Paul Chernoch
  • 5,275
  • 3
  • 52
  • 73
3
votes
1 answer

ZAP Attack proxy History Request ID is not consecutive

I've used ZAP to intercept traffic . Works nicely and I have a history for my REQUEST - RESPONSE pairs like this: ID Req. TimeStamp Method etc .. ... 1955 Tue Apr 05 15:42:47 CEST 2016 GET https ://... 1971 …
Wurzel Sepp
  • 33
  • 2
3
votes
1 answer

SESSION_COOKIE_HTTPONLY = True not working in Django:

I have set the following code in my settings.py: SESSION_COOKIE_HTTPONLY = True even though the docs say this is default. Then I use ./manage.py runserver and run OWASP Zap scanner on the site. But OWASP zap says that the cookie was set without the…
user14717
  • 4,757
  • 2
  • 44
  • 68
1
2
3
36 37