ZAP Tags

Posted 282 Words

Basics

A bit of functionality that ZAP has had since early days is the ability to apply a tag to a message that passes through the proxy. They allow for quick and simple summaries that highlight key aspects of requests or responses.

History panel showing tags

The tags are defined in and controlled by ZAP's options:

Options tags panel

Each Tag is defined by a regex pattern and is applied via ZAP's passive scanning functionality, for example the Hidden tag looks for form fields that have HTML type="hidden":

Hidden Tag configuration

Contact page hidden tag and source

Tags can also be used to filter History entries. For example, if you wanted to see only those messages that had Hidden fields:

History Filter dialog

Filtered History

Interpolation

A lesser known feature that was added in version 2.8.0 is Tag Interpolation. This may sound like an advanced or daunting technology. But really it boils down to allowing the value returned by a Regex capturing group to be used in the Tag text. For example a user could configure a Tag to identify the ID or name of a product:

Product Tag configuration

This Tag is setup such that the value of the first (and only) $1 capturing group ([\d]+)is returned as part of the tag value: Product-$1.

Product Tag example

This could also be used for things like extracting usernames from responses (attributing logged in user), etc.

Neonmarker

There is an add-on for ZAP which allows colouring of history items (rows) based on tags. The add-on is called Neonmarker and is available via ZAP's Marketplace.

Neonmarker online marketplace

ZAP toolbar, marketplace button

Marketplace dialog, Neonmarker

For example if you wanted all the messages with Hidden fields to be purple: Neonmarker example

Conclusion

By reading this post you've learned:

  • Generally about ZAP's Passive Scan Tag functionality.
  • How to configure tags.
  • How to use interpolation with tags.
  • How to get and use the Neonmarker add-on.