Stack Overflow
Stack Overflow

Questions tagged [zap]

OWASP Zed Attack Proxy (ZAP)

https://www.owasp.org/index.php/ZAP

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

548 questions
-1
votes
1 answer

ZAP Spider can't find form request on DVWA

I'm tring using OWASP ZAP and DVWA. I want to find all request using spider. I was setting below: login admin user include default context Flag as Context: Formed-based Auth Login Request add admin user Forced user mode enable Flag as Context:…
makaaso
  • 1
-1
votes
1 answer

How to construct a security regression Test?

Details: I had already read several articles regarding a security-specific regression test, which could not be more different. Some advocate a strict mixture of CI pipelines and manual pentest procedures, others swear by no CI automated test…
Mornon
  • 59
  • 5
  • 22
-1
votes
1 answer

GitLab CI implementation of ZAP with Selenium

I have been trying to get ZAP running in the Gitlab CI pipeline but with no luck. Even though it works fine in my local machine on ChromeDriver , when i try interacting with Remote WebDriver while running on the Gitlab Shared Runner , i cant seem to…
curiosmind
  • 1
-1
votes
2 answers

Scanning using OWASP Zap Api

I am trying to use a script to scan a target and perform an active scan as a proof of concept. I have worked the implementation below and i can not get it to work i am not sure why it will not work? I have Zap2Docker running and can access it via…
docker dev
  • 91
  • 3
  • 10
-1
votes
1 answer

ZAP Daemon -quickout does't produce report

i'm running ZAP Daemon locally to undertand it better. I'm able to see results if i open with the browser the UI (localhost:8090/UI/core/other/htmlreport). But if i use the option "-quickout C:\Users\test.html", the report is not produced. Do you…
t30_9
  • 347
  • 4
  • 17
-1
votes
1 answer

Can Zap be used as a DAST tool via API without spidering?

I'm trying to use Zap as a DAST tool via the API and it's getting a bit annoying. Can i use the tool as an attack tool instead of a proxy tool? what i mean is, currently i can't launch an active scan without the url being in the tree, which is only…
John13
  • 162
  • 1
  • 8
-1
votes
1 answer

OWASP ZAP - Initiated ZAP Daemon instance is not shutting down via Python after scan in Gitlab CI/CD

Initiating ZAP through Gitlab CLI as a Daemon java -jar app.jar -daemon -dir $(pwd) & Running the scan through python and Report is generated After the scan completion, the Gitlab Linux box is still saying ZAPHost is listening on localhost:8080 I…
Venkat Subrahmanyam
  • 11
  • 3
-1
votes
1 answer

GitLab CI implementation of ZAP

i'm working on a GitLab CI implementation of ZAP. What i'm trying to archive, is to perform tests directly in the project, and check the results in the pipeline. I need your help to understand how i can write a yml file to test all the urls present…
t30_9
  • 347
  • 4
  • 17
-1
votes
1 answer

ZAP docker passive scanning results

I have created a Zap container (inside docker) using the command docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap-x.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config…
Inter_forever
  • 5
  • 2
-1
votes
1 answer

Python OWASP ZAP API doesn't seem to successfully authenticate http basic

I have a problem with using the API to do an authenticated scan of a website that I made. This (test) website uses HTTP Basic authentication. When initiating the scan it can't seem to find the web pages behind the login. Below you can find the…
Chiel Sprangers
  • 63
  • 10
-1
votes
1 answer

How to start ZAP.exe in daemon mode with admin user using C#

I tried to start zap.exe in daemon mode using C#, but the exe gets opened with the Project's name always. The process javaw.exe will get started whenever zap starts in daemon mode. enter image description here I tried with code attached here, but no…
Anamika Bhadola
  • 1
  • 2
-1
votes
1 answer

PDO not filter SQL Injection

I have an Application with PHP 5.3.29 and MySQL 5.6.35. I used SQLQUERY to execute SQL instrucctions, then change to PDO with prepared Statements to avoid SQL-i, but whe i test my app with ZAP 2.6.0, i can confirm that the SQL-I still happens,…
Eduardo Ortiz
  • 1
  • 2
-1
votes
1 answer

OWASP ZAP - a list of error messages

Where in source code ZAP I can find list or template of response errors like MySQL-Error, PHP-Error from test sites? Do not the problems mentioned by the ZAP in the results.
idimio
  • 1
-2
votes
1 answer

How can I log anything when ZAP receives a communication?

I want to create a ZAP add-on which simply logs something on the console whenever a communication is received. I followed following tutorial to create a simple add-on, but now I don't know what should I do to achieve my goal.
PyKKe
  • 67
  • 7
-2
votes
1 answer

How to test this vulnerability?

The query time is controllable using parameter value [' | case randomblob(1000000000) when not null then "" else "" end | '], which caused the request to take [142] milliseconds, parameter value [' | case randomblob(1000000000) when not null then ""…
Tsombie
  • 1
  • 1
1 2 3
36
37