ZAP Alert Details

ZAP provides the following HTTP passive and active scan rules which find specific vulnerabilities.

Note that these are examples of the alerts raised - many rules include different details depending on the exact problem encountered.

Only the release rules are included in ZAP by default, the beta and alpha rules can be installed via the ZAP Marketplace.

You can also use HTTP passive and active scripts, examples of which are available in the ZAP community scripts repo, as well as Websocket passive scripts.

Id Alert Status Type
0 Directory Browsing release Active Scan Rule
2 Private IP Disclosure release Passive Scan Rule
3 Session ID in URL Rewrite release Passive Scan Rule
6 Path Traversal release Active Scan Rule
7 Remote File Inclusion release Active Scan Rule
41 Source Code Disclosure - Git beta Active Scan Rule
42 Source Code Disclosure - SVN beta Active Scan Rule
43 Source Code Disclosure - File Inclusion beta Active Scan Rule
10003 Vulnerable JS Library beta Passive Scan Rule
10009 In Page Banner Information Leak alpha Passive Scan Rule
10010 Cookie No HttpOnly Flag release Passive Scan Rule
10011 Cookie Without Secure Flag release Passive Scan Rule
10015 Incomplete or No Cache-control and Pragma HTTP Header Set release Passive Scan Rule
10016 Web Browser XSS Protection Not Enabled release Passive Scan Rule
10017 Cross-Domain JavaScript Source File Inclusion release Passive Scan Rule
10019 Content-Type Header Missing release Passive Scan Rule
10020 X-Frame-Options Header release Passive Scan Rule
10021 X-Content-Type-Options Header Missing release Passive Scan Rule
10023 Information Disclosure - Debug Error Messages release Passive Scan Rule
10024 Information Disclosure - Sensitive Information in URL release Passive Scan Rule
10025 Information Disclosure - Sensitive Information in HTTP Referrer Header release Passive Scan Rule
10026 HTTP Parameter Override beta Passive Scan Rule
10027 Information Disclosure - Suspicious Comments release Passive Scan Rule
10028 Open Redirect beta Passive Scan Rule
10029 Cookie Poisoning beta Passive Scan Rule
10030 User Controllable Charset beta Passive Scan Rule
10031 User Controllable HTML Element Attribute (Potential XSS) beta Passive Scan Rule
10032 Viewstate release Passive Scan Rule
10033 Directory Browsing beta Passive Scan Rule
10034 Heartbleed OpenSSL Vulnerability (Indicative) beta Passive Scan Rule
10035 Strict-Transport-Security Header beta Passive Scan Rule
10036 HTTP Server Response Header beta Passive Scan Rule
10037 Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) release Passive Scan Rule
10038 Content Security Policy (CSP) Header Not Set beta Passive Scan Rule
10039 X-Backend-Server Header Information Leak beta Passive Scan Rule
10040 Secure Pages Include Mixed Content release Passive Scan Rule
10041 HTTP to HTTPS Insecure Transition in Form Post beta Passive Scan Rule
10042 HTTPS to HTTP Insecure Transition in Form Post beta Passive Scan Rule
10043 User Controllable JavaScript Event (XSS) beta Passive Scan Rule
10044 Big Redirect Detected (Potential Sensitive Information Leak) beta Passive Scan Rule
10045 Source Code Disclosure - /WEB-INF folder release Active Scan Rule
10046 Insecure Component alpha Passive Scan Rule
10047 HTTPS Content Available via HTTP beta Active Scan Rule
10048 Remote Code Execution - Shell Shock beta Active Scan Rule
10049 Content Cacheability alpha Passive Scan Rule
10050 Retrieved from Cache beta Passive Scan Rule
10051 Relative Path Confusion beta Active Scan Rule
10052 X-ChromeLogger-Data (XCOLD) Header Information Leak beta Passive Scan Rule
10053 Apache Range Header DoS (CVE-2011-3192) beta Active Scan Rule
10054 Cookie Without SameSite Attribute release Passive Scan Rule
10055 CSP release Passive Scan Rule
10056 X-Debug-Token Information Leak release Passive Scan Rule
10057 Username Hash Found release Passive Scan Rule
10058 GET for POST beta Active Scan Rule
10061 X-AspNet-Version Response Header release Passive Scan Rule
10062 PII Disclosure beta Passive Scan Rule
10063 Feature Policy Header Not Set alpha Passive Scan Rule
10070 Use of SAML alpha Passive Scan Rule
10094 Base64 Disclosure alpha Passive Scan Rule
10095 Backup File Disclosure beta Active Scan Rule
10096 Timestamp Disclosure release Passive Scan Rule
10097 Hash Disclosure beta Passive Scan Rule
10098 Cross-Domain Misconfiguration release Passive Scan Rule
10099 Source Code Disclosure alpha Passive Scan Rule
10103 Image Location and Privacy Scanner beta Passive Scan Rule
10104 User Agent Fuzzer beta Active Scan Rule
10105 Weak Authentication Method release Passive Scan Rule
10106 HTTP Only Site beta Active Scan Rule
10107 Httpoxy - Proxy Header Misuse beta Active Scan Rule
10108 Reverse Tabnabbing beta Passive Scan Rule
10109 Modern Web Application beta Passive Scan Rule
10110 Dangerous JS Functions alpha Passive Scan Rule
10202 Absence of Anti-CSRF Tokens release Passive Scan Rule
20012 Anti-CSRF Tokens Check beta Active Scan Rule
20014 HTTP Parameter Pollution beta Active Scan Rule
20015 Heartbleed OpenSSL Vulnerability beta Active Scan Rule
20016 Cross-Domain Misconfiguration beta Active Scan Rule
20017 Source Code Disclosure - CVE-2012-1823 beta Active Scan Rule
20018 Remote Code Execution - CVE-2012-1823 beta Active Scan Rule
20019 External Redirect release Active Scan Rule
30001 Buffer Overflow release Active Scan Rule
30002 Format String Error release Active Scan Rule
30003 Integer Overflow Error beta Active Scan Rule
40003 CRLF Injection release Active Scan Rule
40008 Parameter Tampering release Active Scan Rule
40009 Server Side Include release Active Scan Rule
40012 Cross Site Scripting (Reflected) release Active Scan Rule
40013 Session Fixation beta Active Scan Rule
40014 Cross Site Scripting (Persistent) release Active Scan Rule
40015 LDAP Injection alpha Active Scan Rule
40016 Cross Site Scripting (Persistent) - Prime release Active Scan Rule
40017 Cross Site Scripting (Persistent) - Spider release Active Scan Rule
40018 SQL Injection release Active Scan Rule
40019 SQL Injection - MySQL beta Active Scan Rule
40020 SQL Injection - Hypersonic SQL beta Active Scan Rule
40021 SQL Injection - Oracle beta Active Scan Rule
40022 SQL Injection - PostgreSQL beta Active Scan Rule
40023 Possible Username Enumeration beta Active Scan Rule
40024 SQL Injection - SQLite beta Active Scan Rule
40025 Proxy Disclosure beta Active Scan Rule
40026 Cross Site Scripting (DOM Based) alpha Active Scan Rule
40027 SQL Injection - MsSQL beta Active Scan Rule
40028 ELMAH Information Leak beta Active Scan Rule
40029 Trace.axd Information Leak beta Active Scan Rule
40032 .htaccess Information Leak beta Active Scan Rule
40033 NoSQL Injection - MongoDB alpha Active Scan Rule
40034 .env Information Leak alpha Active Scan Rule
40035 Hidden File Finder alpha Active Scan Rule
90001 Insecure JSF ViewState release Passive Scan Rule
90002 Java Serialization Object alpha Passive Scan Rule
90003 Sub Resource Integrity Attribute Missing alpha Passive Scan Rule
90011 Charset Mismatch release Passive Scan Rule
90017 XSLT Injection alpha Active Scan Rule
90018 Advanced SQL Injection beta Active Scan Rule
90019 Server Side Code Injection release Active Scan Rule
90020 Remote OS Command Injection release Active Scan Rule
90021 XPath Injection beta Active Scan Rule
90022 Application Error Disclosure release Passive Scan Rule
90023 XML External Entity Attack beta Active Scan Rule
90024 Generic Padding Oracle beta Active Scan Rule
90025 Expression Language Injection beta Active Scan Rule
90027 Cookie Slack Detector beta Active Scan Rule
90028 Insecure HTTP Method beta Active Scan Rule
90033 Loosely Scoped Cookie release Passive Scan Rule
90034 Cloud Metadata Potentially Exposed alpha Active Scan Rule