ZAP Alert Details

ZAP provides the following HTTP passive and active scan rules which find specific vulnerabilities.

Note that these are examples of the alerts raised - many rules include different details depending on the exact problem encountered.

Only the release rules are included in ZAP by default, the beta and alpha rules can be installed via the ZAP Marketplace.

You can also use HTTP passive and active scripts, examples of which are available in the ZAP community scripts repo, as well as Websocket passive scripts.

Many alerts support tags which allow you to see which alerts are related to, for example, specific OWASP Top Ten categories or OWASP Web Service Testing Guide chapters.

Some alerts are only relevant for specific technologies - if you know your target app does not use some of these technologies then you can configure ZAP to skip those tests.

Id Alert Status Risk Type
0 Directory Browsing release Medium Active
2 Private IP Disclosure release Low Passive
3 Session ID in URL Rewrite release Passive
3-1 Session ID in URL Rewrite release Medium Passive
3-2 Session ID in URL Rewrite release Medium Passive
3-3 Referer Exposes Session ID release Medium Passive
6 Path Traversal release Active
6-1 Path Traversal release High Active
6-2 Path Traversal release High Active
6-3 Path Traversal release High Active
6-4 Path Traversal release High Active
6-5 Path Traversal release High Active
7 Remote File Inclusion release High Active
41 Source Code Disclosure - Git beta High Active
42 Source Code Disclosure - SVN beta Medium Active
43 Source Code Disclosure - File Inclusion beta High Active
10003 Vulnerable JS Library release Medium Passive
10009 In Page Banner Information Leak beta Low Passive
10010 Cookie No HttpOnly Flag release Low Passive
10011 Cookie Without Secure Flag release Low Passive
10015 Re-examine Cache-control Directives release Informational Passive
10016 Web Browser XSS Protection Not Enabled deprecated Passive
10017 Cross-Domain JavaScript Source File Inclusion release Low Passive
10019 Content-Type Header Missing release Informational Passive
10020 Anti-clickjacking Header release Passive
10020-1 Missing Anti-clickjacking Header release Medium Passive
10020-2 Multiple X-Frame-Options Header Entries release Medium Passive
10020-3 X-Frame-Options Defined via META (Non-compliant with Spec) release Medium Passive
10020-4 X-Frame-Options Setting Malformed release Medium Passive
10021 X-Content-Type-Options Header Missing release Low Passive
10023 Information Disclosure - Debug Error Messages release Low Passive
10024 Information Disclosure - Sensitive Information in URL release Informational Passive
10025 Information Disclosure - Sensitive Information in HTTP Referrer Header release Informational Passive
10026 HTTP Parameter Override beta Medium Passive
10027 Information Disclosure - Suspicious Comments release Informational Passive
10028 Open Redirect release Passive
10029 Cookie Poisoning release Passive
10030 User Controllable Charset release Passive
10031 User Controllable HTML Element Attribute (Potential XSS) release Passive
10032 Viewstate release Passive
10032-1 Potential IP Addresses Found in the Viewstate release Medium Passive
10032-2 Emails Found in the Viewstate release Medium Passive
10032-3 Old Asp.Net Version in Use release Low Passive
10032-4 Viewstate without MAC Signature (Unsure) release High Passive
10032-5 Viewstate without MAC Signature (Sure) release High Passive
10032-6 Split Viewstate in Use release Informational Passive
10033 Directory Browsing release Medium Passive
10034 Heartbleed OpenSSL Vulnerability (Indicative) release Passive
10035 Strict-Transport-Security Header release Passive
10036 HTTP Server Response Header release Passive
10036-1 Server Leaks its Webserver Application via 'Server' HTTP Response Header Field release Informational Passive
10036-2 Server Leaks Version Information via 'Server' HTTP Response Header Field release Low Passive
10037 Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) release Low Passive
10038 Content Security Policy (CSP) Header Not Set release Passive
10038-1 Content Security Policy (CSP) Header Not Set release Medium Passive
10038-2 Obsolete Content Security Policy (CSP) Header Found release Informational Passive
10038-3 Content Security Policy (CSP) Report-Only Header Found release Informational Passive
10039 X-Backend-Server Header Information Leak release Passive
10040 Secure Pages Include Mixed Content release Passive
10041 HTTP to HTTPS Insecure Transition in Form Post release Passive
10042 HTTPS to HTTP Insecure Transition in Form Post release Passive
10043 User Controllable JavaScript Event (XSS) release Passive
10044 Big Redirect Detected (Potential Sensitive Information Leak) release Passive
10045 Source Code Disclosure - /WEB-INF folder release High Active
10046 Insecure Component deprecated Passive
10047 HTTPS Content Available via HTTP beta Low Active
10048 Remote Code Execution - Shell Shock beta High Active
10049 Content Cacheability beta Passive
10049-1 Non-Storable Content beta Informational Passive
10049-2 Storable but Non-Cacheable Content beta Informational Passive
10049-3 Storable and Cacheable Content beta Informational Passive
10050 Retrieved from Cache release Passive
10051 Relative Path Confusion beta Medium Active
10052 X-ChromeLogger-Data (XCOLD) Header Information Leak release Passive
10053 Apache Range Header DoS (CVE-2011-3192) deprecated Medium Active
10054 Cookie without SameSite Attribute release Low Passive
10055 CSP release Passive
10055-1 CSP: X-Content-Security-Policy release Low Passive
10055-2 CSP: X-WebKit-CSP release Low Passive
10055-3 CSP: Notices release Low Passive
10055-4 CSP: Wildcard Directive release Medium Passive
10055-5 CSP: script-src unsafe-inline release Medium Passive
10055-6 CSP: style-src unsafe-inline release Medium Passive
10055-7 CSP: script-src unsafe-hashes release Medium Passive
10055-8 CSP: style-src unsafe-hashes release Medium Passive
10055-9 CSP: Malformed Policy (Non-ASCII) release Medium Passive
10055-10 CSP: script-src unsafe-eval release Medium Passive
10055-11 CSP: Meta Policy Invalid Directive release Medium Passive
10055-12 CSP: Header & Meta release Informational Passive
10056 X-Debug-Token Information Leak release Low Passive
10057 Username Hash Found release Informational Passive
10058 GET for POST release Informational Active
10061 X-AspNet-Version Response Header release Low Passive
10062 PII Disclosure release High Passive
10063 Permissions Policy Header Not Set beta Passive
10063-1 Permissions Policy Header Not Set beta Low Passive
10063-2 Deprecated Feature Policy Header Set beta Low Passive
10070 Use of SAML alpha Passive
10094 Base64 Disclosure alpha Passive
10094-1 ASP.NET ViewState Disclosure alpha Informational Passive
10094-2 ASP.NET ViewState Integrity alpha High Passive
10094-3 Base64 Disclosure alpha Informational Passive
10095 Backup File Disclosure beta Medium Active
10096 Timestamp Disclosure release Low Passive
10097 Hash Disclosure release Passive
10098 Cross-Domain Misconfiguration release Medium Passive
10099 Source Code Disclosure - PHP alpha Medium Passive
10103 Image Exposes Location or Privacy Data beta Informational Passive
10104 User Agent Fuzzer release Informational Active
10105 Weak Authentication Method release Passive
10106 HTTP Only Site beta Medium Active
10107 Httpoxy - Proxy Header Misuse beta High Active
10108 Reverse Tabnabbing release Passive
10109 Modern Web Application release Passive
10110 Dangerous JS Functions beta Low Passive
10111 Authentication Request Identified beta Informational Passive
10112 Session Management Response Identified beta Informational Passive
10113 Verification Request Identified beta Informational Passive
10202 Absence of Anti-CSRF Tokens release Passive
20012 Anti-CSRF Tokens Check beta Medium Active
20014 HTTP Parameter Pollution beta Informational Active
20015 Heartbleed OpenSSL Vulnerability release High Active
20016 Cross-Domain Misconfiguration beta High Active
20017 Source Code Disclosure - CVE-2012-1823 release High Active
20018 Remote Code Execution - CVE-2012-1823 release High Active
20019 External Redirect release Active
20019-1 External Redirect release High Active
20019-2 External Redirect release High Active
20019-3 External Redirect release High Active
20019-4 External Redirect release High Active
30001 Buffer Overflow release Medium Active
30002 Format String Error release Medium Active
30003 Integer Overflow Error beta Medium Active
40003 CRLF Injection release Medium Active
40008 Parameter Tampering release Medium Active
40009 Server Side Include release High Active
40012 Cross Site Scripting (Reflected) release High Active
40013 Session Fixation beta High Active
40014 Cross Site Scripting (Persistent) release High Active
40015 LDAP Injection alpha High Active
40016 Cross Site Scripting (Persistent) - Prime release Informational Active
40017 Cross Site Scripting (Persistent) - Spider release Informational Active
40018 SQL Injection release High Active
40019 SQL Injection - MySQL release High Active
40020 SQL Injection - Hypersonic SQL release High Active
40021 SQL Injection - Oracle release High Active
40022 SQL Injection - PostgreSQL release High Active
40023 Possible Username Enumeration beta Informational Active
40024 SQL Injection - SQLite release High Active
40025 Proxy Disclosure beta Medium Active
40026 Cross Site Scripting (DOM Based) release High Active
40027 SQL Injection - MsSQL release High Active
40028 ELMAH Information Leak release Medium Active
40029 Trace.axd Information Leak release Medium Active
40031 Out of Band XSS beta High Active
40032 .htaccess Information Leak release Medium Active
40033 NoSQL Injection - MongoDB alpha High Active
40034 .env Information Leak release Medium Active
40035 Hidden File Found release Medium Active
40036 JWT Scan Rule alpha Medium Active
40038 Bypassing 403 beta Medium Active
40039 Web Cache Deception alpha Medium Active
40040 CORS Header beta Active
40040-1 CORS Header beta Informational Active
40040-2 CORS Misconfiguration beta Medium Active
40040-3 CORS Misconfiguration beta High Active
40041 File Upload alpha Medium Active
40042 Spring Actuator Information Leak beta Medium Active
40043 Log4Shell beta Active
40043-1 Log4Shell (CVE-2021-44228) beta High Active
40043-2 Log4Shell (CVE-2021-45046) beta High Active
40044 Exponential Entity Expansion (Billion Laughs Attack) beta Medium Active
40045 Spring4Shell beta High Active
40046 Server Side Request Forgery alpha High Active
40047 Text4shell (CVE-2022-42889) alpha High Active
90001 Insecure JSF ViewState release Medium Passive
90002 Java Serialization Object beta Medium Passive
90003 Sub Resource Integrity Attribute Missing beta Medium Passive
90004 Insufficient Site Isolation Against Spectre Vulnerability alpha Passive
90004-1 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive
90004-2 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive
90004-3 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive
90011 Charset Mismatch release Informational Passive
90017 XSLT Injection release Medium Active
90018 Advanced SQL Injection beta High Active
90019 Server Side Code Injection release Active
90019-1 Server Side Code Injection - PHP Code Injection release High Active
90019-2 Server Side Code Injection - ASP Code Injection release High Active
90020 Remote OS Command Injection release High Active
90021 XPath Injection beta High Active
90022 Application Error Disclosure release Medium Passive
90023 XML External Entity Attack release High Active
90024 Generic Padding Oracle release High Active
90025 Expression Language Injection beta High Active
90026 SOAP Action Spoofing beta High Active
90027 Cookie Slack Detector beta Informational Active
90028 Insecure HTTP Method beta Medium Active
90029 SOAP XML Injection beta High Active
90030 WSDL File Detection beta Passive
90033 Loosely Scoped Cookie release Informational Passive
90034 Cloud Metadata Potentially Exposed release High Active
90035 Server Side Template Injection beta High Active
90036 Server Side Template Injection (Blind) beta High Active
110001 Application Error Disclosure via WebSockets release Medium WebSocket Passive
110002 Base64 Disclosure in WebSocket message release Informational WebSocket Passive
110003 Information Disclosure - Debug Error Messages via WebSocket release Low WebSocket Passive
110004 Email address found in WebSocket message release Informational WebSocket Passive
110005 Personally Identifiable Information via WebSocket release High WebSocket Passive
110006 Private IP Disclosure via WebSocket release Low WebSocket Passive
110007 Username Hash Found in WebSocket message release Informational WebSocket Passive
110008 Information Disclosure - Suspicious Comments in XML via WebSocket release Informational WebSocket Passive