Stack Overflow
Stack Overflow

Questions tagged [zap]

OWASP Zed Attack Proxy (ZAP)

https://www.owasp.org/index.php/ZAP

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

548 questions
35
votes
3 answers

Adding authentication in ZAP tool to attack a URL

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
user2323844
  • 401
  • 3
  • 8
  • 9
7
votes
1 answer

Passive Scan in OWASP ZAP

I have started learning OWASP ZAP and I am confused about passive scanning in OWASP ZAP. On right clicking the node in Site tree I do not see any passive scanning option, however under Tools | Options I am able to see Passive Scan Rules. How Can I…
NewBee
  • 165
  • 2
  • 7
6
votes
2 answers

OWASP ZAP - how to "prove" false positives?

Our customer requires us to run the OWASP ZAP tool against our web application (ASP.NET 4.5.2, Webforms) and we cannot have any high priority findings in the report. We've done the analysis, and OWASP ZAP reports two vulnerabilities which both are…
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
6
votes
1 answer

Can ZAP be used for SPA application

I have a SPA application (angularjs front end/restfull WebAPI back end). SPA is by design using client routing - i.e. typical "page" looks like http://contosco.com#/page1 http://contosco.com#/page2 .. etc I know that ZAP has "ajax spidering" mode in…
Ondrej Svejdar
  • 21,349
  • 5
  • 54
  • 89
5
votes
0 answers

How to integrate a task to perform OWASP ZAP scan with authentication in Azure DevOps release pipeline?

The requirement is to perform OWASP ZAP scan for a website that requires authentication in Azure DevOps release pipeline. Unable to find ways to perform this for an authenticated webpage. Please guide me on this. I could find ways of using OWASP ZAP…
Sneha Dominic
  • 368
  • 2
  • 14
5
votes
1 answer

How to scan particular URL or page alone in owasp zap

I have installed OWASP ZAP 2.8.0 and scan our site fully. In result we got some SQL injection URL's or pages. So We have fixed that SQL injection issues in development which is mentioned OWASP tool. How to scan the particular page or URL in…
karthik anandan
  • 89
  • 3
5
votes
1 answer

Can Owasp Zap be used to proxy all http and https traffic through an HTTPS connection?

I've just started using Zap, and am successfully running it in Firefox and Chrome. I'd like to use it to automatically serve it's SSL cert for non https sites as well. So for example, I'd like it to be able to serve http://example.com as…
Brad Parks
  • 66,836
  • 64
  • 257
  • 336
4
votes
1 answer

Comparing multiple HTTP responses in OWASP ZAP

I am doing an authentication lab on portswigger which requires me to compare multiple HTTP requests and find a subtle difference between them in order to find a valid username. However, I dont know how to do this using OWASP ZAP. By any chance could…
ilovepalydota
  • 49
  • 2
4
votes
2 answers

OWASP ZAP can not test API

I am currently trying to scan the API with zap. I downloaded the pet shop example from https://editor.swagger.io/ and set up a server with spring. Now I want to scan this API with a Jenkins build job. My build job so far says: docker pull…
Simon
  • 925
  • 3
  • 13
  • 30
4
votes
1 answer

NTLM authentication in ZAP

I'm trying to do some penetration testing of REST Api using ZAP. Api uses windows authentication [domain\username] and is hosted locally on a specific port. First I did a test using postman to try to connect and make an example request. My config…
Chris4D
  • 167
  • 4
  • 12
4
votes
2 answers

Owasp Zap Testing rest api

Is that possible to testing rest-api via OWASP ZAP ? Url to attack worked just for GET requests. For example, my api controllers work with only token. I have TokenController and this controller require POST data via JSON data include password and…
Сергей
  • 780
  • 4
  • 13
  • 31
4
votes
0 answers

How to use Postman with OSWAP Zap Proxy?

I'm trying to explore a REST API using ZAP and Postman but I get an error probably because I didn't set up something right. Should I add the SA certificate from ZAP to Postman? Could not get any response There was an error connecting to…
dmz73
  • 1,588
  • 4
  • 20
  • 32
4
votes
0 answers

Selenium and Cucumber proxy setting (cucumber.xml or CucumberRunner)

Trying to set proxy (to OWASP ZAP Proxy port) in Cucumber via property, but to no available. cucumber.xml
dev
  • 1,119
  • 1
  • 11
  • 34
4
votes
1 answer

Import root CA in chromedriver (Selenium)

I have tried and searched almost everything but still didn't find an answer to import a root CA into chromedriver while running my Selenium test. Small background info: I am running regression tests with Selenium and chromedriver. My goal is to let…
Selenium Noob
  • 41
  • 1
  • 2
4
votes
1 answer

OWASP's ZAP and the Fuzz ability

My scenario: I navigate to a login page. I put in a known username with a bad password. ZAP picks this up no issue. I select the POST to the login page. I find the lines that contain the Username and password. The…
James Craig
  • 473
  • 3
  • 9
  • 22
1
2 3
36 37