Stack Overflow
Stack Overflow

Questions tagged [zap]

OWASP Zed Attack Proxy (ZAP)

https://www.owasp.org/index.php/ZAP

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

548 questions
2
votes
1 answer

CSP Scanner: Wildcard Directive alert for OpenID Connect session management endpoint

We used ZAP 2.8 to scan our angular web application implemented with IdentityServer4 (implicit flow). It generated a Wildcard Directive alert (show in below), I am not sure it is a security issue or not. If it is a security issue, what should we…
Yukun
  • 257
  • 1
  • 4
  • 10
2
votes
0 answers

OWASP ZAP Ajax Spider URL parameter issue

I'm trying to use ZAP to do an AJAX Spider on my web app and am trying to understand a couple of things. When running the AJAX spider, it hits a URL structure of mydomain.com/profile and the spider gets stuck here and keeps hitting…
CoryDorning
  • 1,854
  • 4
  • 25
  • 36
2
votes
1 answer

Scanning Rest API's through OWASP zap inside a docker environment

I set an Azure devops CI/CD build that will start a vm where Owasp Zap is running as a proxy and where the Owasp zap Azure devops task will run on a target url and copy my report in an Azure Storage. Followed this guy's beautiful tutorial: …
achahbar
  • 901
  • 3
  • 21
  • 47
2
votes
1 answer

Jenkins Docker Sidecar with Container Running a daemon command

I want to run ZAP as a proxy in my pipeline, and run my selenium tests through the proxy. Im just using curl in a container in place of selenium for my testing and was able to make this work locally using docker. In my pipeline, zap starts up, but…
Justin Seiser
  • 359
  • 1
  • 3
  • 13
2
votes
1 answer

How to define our own ZAP active rule?

we want to use ZAP to scan our site vulnerability issues is there any way to define our own active rule for our business..? for example, we want to check is there any javascript post any data to the sites that are not in the white list ...? so,…
allencharp
  • 1,101
  • 3
  • 14
  • 31
2
votes
1 answer

Form Based Authentication OWASP ZAP for HTTPS application

I'm trying to use Form-Based Authentication feature of OWASP ZAP using ZAP's python API. I noticed that while using a HTTP application (for example - http://demo.testfire.net/) it is able to spider and give additional URLs once logged in. However,…
Mh07
  • 23
  • 2
  • 6
2
votes
1 answer

How to execute selenium script using Zap Plugin in jenkins

I have a problem with Zap plugin in Jenkins. Assume I have my selenium script wrriten in java , it will launch a browser and set a proxy automatically. What I need is to launch selenium java code from Jenkins, and use the zap plugin to open the zap…
syndy1989
  • 403
  • 10
  • 25
2
votes
1 answer

zaproxy: unable to find image 'in:latest' locally

I followed example from : https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html install Docker on my Mac executed docker pull owasp/zap2docker-weekly executed example: docker run -t owasp/zap2docker-weekly zap-api-scan.py -t \ …
Alex
  • 362
  • 1
  • 5
  • 14
2
votes
1 answer

Enumerating Subdirectories Using ZAP

I am using ZAP 2.7.0 and I would like to enumerate possible files/directories within a subdirectory of a given site. There is the DirBuster tool, which is not available in the market place anymore. However, ZAP implements the "forced browsing"…
user1192748
  • 945
  • 3
  • 15
  • 26
2
votes
1 answer

Can we single out an alert say "Web Browser XSS Protection Not Enabled" and rerun in ZAP Proxy

Context : We used OWASP Zed Attack Proxy version 2.7.0 to do vulnerability tests of an application. We got a few alerts, and is doing the resolution. Problem : We wanted to single out an alert say "Web Browser XSS Protection Not Enabled" and run…
arunvg
  • 1,209
  • 1
  • 20
  • 31
2
votes
1 answer

Passing config values to OWASP ZAP rest api script as a file: format?

I wanted to automate API pentesting. I referred this blog: https://zaproxy.blogspot.in/2017/06/scanning-apis-with-zap.html Could you direct me to where I can get a sample zap-options file that we pass with -z option to the zap-api-scan.py script,…
Shinto C V
  • 714
  • 1
  • 9
  • 16
2
votes
0 answers

SSL traffic decryption - iOS

I'm looking for a way to perform a network trace between an iOS app I'm developing, and a server I own, using my mac to intercept traffic. Traffic is encrypted via SSL ; I own the domain, and the PKCS12 certificate used to encrypt the traffic. I've…
Jeremie Vincke
  • 113
  • 6
2
votes
0 answers

ZAP API scan error using zap-api-scan.py

In my CI setup I use the following command: docker run -v /etc/hosts:/etc/hosts -v $(pwd):/zap/wrk:rw -t owasp/zap2docker-weekly \ zap-api-scan.py -t openapi.json -f openapi -c .zap-baseline.conf -d It should scan according to the…
Tommy Bravo
  • 532
  • 8
  • 29
2
votes
1 answer

OWASP ZAP not showing requests to images in history view

I'm investigating some strange behavior in a web application where something is generating requests that shouldn't be there. Since the principal action triggering these requests opens a new browser window, browser built-in network debugging…
zb226
  • 9,586
  • 6
  • 49
  • 79
2
votes
4 answers

How to working Owasp ZAP on web interface

I do not want to use it from the desktop application. I need software that works on the web. I want to use it on a server. Personnel who want to use ZAP need to do this by connecting to that server. I could only run the desktop application
Hakan san
  • 191
  • 1
  • 1
  • 9
1 2 3
36 37