ZAP Alert Details

ZAP provides the following HTTP passive and active scan rules which find specific vulnerabilities.

Note that these are examples of the alerts raised - many rules include different details depending on the exact problem encountered.

Only the release rules are included in ZAP by default, the beta and alpha rules can be installed via the ZAP Marketplace.

You can also use HTTP passive and active scripts, examples of which are available in the ZAP community scripts repo, as well as Websocket passive scripts.

Id Alert Status Risk Type
0 Directory Browsing release Medium Active
2 Private IP Disclosure release Low Passive
3 Session ID in URL Rewrite release Medium Passive
6 Path Traversal release High Active
7 Remote File Inclusion release High Active
41 Source Code Disclosure - Git beta High Active
42 Source Code Disclosure - SVN beta Medium Active
43 Source Code Disclosure - File Inclusion beta High Active
10003 Vulnerable JS Library release Medium Passive
10009 In Page Banner Information Leak alpha Passive
10010 Cookie No HttpOnly Flag release Low Passive
10011 Cookie Without Secure Flag release Low Passive
10015 Incomplete or No Cache-control Header Set release Passive
10016 Web Browser XSS Protection Not Enabled deprecated Passive
10017 Cross-Domain JavaScript Source File Inclusion release Passive
10019 Content-Type Header Missing release Passive
10020 X-Frame-Options Header release Passive
10020-1 X-Frame-Options Header Not Set release Medium Passive
10020-2 Multiple X-Frame-Options Header Entries release Medium Passive
10020-3 X-Frame-Options Defined via META (Non-compliant with Spec) release Medium Passive
10020-4 X-Frame-Options Setting Malformed release Medium Passive
10021 X-Content-Type-Options Header Missing release Passive
10023 Information Disclosure - Debug Error Messages release Passive
10024 Information Disclosure - Sensitive Information in URL release Passive
10025 Information Disclosure - Sensitive Information in HTTP Referrer Header release Passive
10026 HTTP Parameter Override beta Passive
10027 Information Disclosure - Suspicious Comments release Passive
10028 Open Redirect beta Passive
10029 Cookie Poisoning beta Passive
10030 User Controllable Charset beta Passive
10031 User Controllable HTML Element Attribute (Potential XSS) beta Passive
10032 Viewstate release Passive
10032-1 Potential IP Addresses Found in the Viewstate release Medium Passive
10032-2 Emails Found in the Viewstate release Medium Passive
10032-3 Old Asp.Net Version in Use release Low Passive
10032-4 Viewstate without MAC Signature (Unsure) release High Passive
10032-5 Viewstate without MAC Signature (Sure) release High Passive
10032-6 Split Viewstate in Use release Informational Passive
10033 Directory Browsing beta Passive
10034 Heartbleed OpenSSL Vulnerability (Indicative) beta Passive
10035 Strict-Transport-Security Header beta Passive
10036 HTTP Server Response Header beta Passive
10037 Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) release Passive
10038 Content Security Policy (CSP) Header Not Set beta Passive
10039 X-Backend-Server Header Information Leak beta Passive
10040 Secure Pages Include Mixed Content release Passive
10041 HTTP to HTTPS Insecure Transition in Form Post beta Passive
10042 HTTPS to HTTP Insecure Transition in Form Post beta Passive
10043 User Controllable JavaScript Event (XSS) beta Passive
10044 Big Redirect Detected (Potential Sensitive Information Leak) beta Passive
10045 Source Code Disclosure - /WEB-INF folder release High Active
10046 Insecure Component deprecated Passive
10047 HTTPS Content Available via HTTP beta Low Active
10048 Remote Code Execution - Shell Shock beta High Active
10049 Content Cacheability alpha Passive
10050 Retrieved from Cache beta Passive
10051 Relative Path Confusion beta Medium Active
10052 X-ChromeLogger-Data (XCOLD) Header Information Leak beta Passive
10053 Apache Range Header DoS (CVE-2011-3192) deprecated Medium Active
10054 Cookie without SameSite Attribute release Passive
10055 CSP release Passive
10056 X-Debug-Token Information Leak release Passive
10057 Username Hash Found release Passive
10058 GET for POST beta Informational Active
10061 X-AspNet-Version Response Header release Passive
10062 PII Disclosure beta Passive
10063 Permissions Policy Header Not Set alpha Passive
10070 Use of SAML alpha Passive
10094 Base64 Disclosure alpha Passive
10095 Backup File Disclosure beta Medium Active
10096 Timestamp Disclosure release Passive
10097 Hash Disclosure beta Passive
10098 Cross-Domain Misconfiguration release Passive
10099 Source Code Disclosure alpha Passive
10103 Image Location and Privacy Scanner beta Passive
10104 User Agent Fuzzer beta Informational Active
10105 Weak Authentication Method release Passive
10106 HTTP Only Site beta Medium Active
10107 Httpoxy - Proxy Header Misuse beta High Active
10108 Reverse Tabnabbing beta Passive
10109 Modern Web Application beta Passive
10110 Dangerous JS Functions alpha Passive
10202 Absence of Anti-CSRF Tokens release Passive
20012 Anti-CSRF Tokens Check beta High Active
20014 HTTP Parameter Pollution beta Informational Active
20015 Heartbleed OpenSSL Vulnerability beta High Active
20016 Cross-Domain Misconfiguration beta High Active
20017 Source Code Disclosure - CVE-2012-1823 beta High Active
20018 Remote Code Execution - CVE-2012-1823 beta High Active
20019 External Redirect release High Active
30001 Buffer Overflow release Medium Active
30002 Format String Error release Medium Active
30003 Integer Overflow Error beta Medium Active
40003 CRLF Injection release Medium Active
40008 Parameter Tampering release Medium Active
40009 Server Side Include release High Active
40012 Cross Site Scripting (Reflected) release High Active
40013 Session Fixation beta High Active
40014 Cross Site Scripting (Persistent) release High Active
40015 LDAP Injection alpha High Active
40016 Cross Site Scripting (Persistent) - Prime release Informational Active
40017 Cross Site Scripting (Persistent) - Spider release Informational Active
40018 SQL Injection release High Active
40019 SQL Injection - MySQL beta High Active
40020 SQL Injection - Hypersonic SQL beta High Active
40021 SQL Injection - Oracle beta High Active
40022 SQL Injection - PostgreSQL beta High Active
40023 Possible Username Enumeration beta Informational Active
40024 SQL Injection - SQLite beta High Active
40025 Proxy Disclosure beta Medium Active
40026 Cross Site Scripting (DOM Based) beta High Active
40027 SQL Injection - MsSQL beta High Active
40028 ELMAH Information Leak release Medium Active
40029 Trace.axd Information Leak beta Medium Active
40032 .htaccess Information Leak release Medium Active
40033 NoSQL Injection - MongoDB alpha High Active
40034 .env Information Leak beta Medium Active
40035 Hidden File Finder beta Medium Active
40036 JWT Scan Rule alpha Medium Active
40038 Bypassing 403 alpha Medium Active
40039 Web Cache Deception alpha Medium Active
40040 CORS Header alpha Active
40040-1 CORS Header alpha Informational Active
40040-2 CORS Misconfiguration alpha Medium Active
40040-3 CORS Misconfiguration alpha High Active
40041 File Upload alpha Medium Active
90001 Insecure JSF ViewState release Passive
90002 Java Serialization Object alpha Passive
90003 Sub Resource Integrity Attribute Missing alpha Passive
90004 Insufficient Site Isolation Against Spectre Vulnerability alpha Passive
90004-1 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive
90004-2 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive
90004-3 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive
90011 Charset Mismatch release Passive
90017 XSLT Injection beta Medium Active
90018 Advanced SQL Injection beta High Active
90019 Server Side Code Injection release High Active
90020 Remote OS Command Injection release High Active
90021 XPath Injection beta High Active
90022 Application Error Disclosure release Medium Passive
90023 XML External Entity Attack beta High Active
90024 Generic Padding Oracle beta High Active
90025 Expression Language Injection beta High Active
90026 SOAP Action Spoofing alpha High Active
90027 Cookie Slack Detector beta Informational Active
90028 Insecure HTTP Method beta Medium Active
90029 SOAP XML Injection alpha High Active
90030 WSDL File Detection alpha Passive
90033 Loosely Scoped Cookie release Passive
90034 Cloud Metadata Potentially Exposed beta High Active
110001 Application Error Disclosure via WebSockets release Medium WebSocket Passive
110002 Base64 Disclosure in WebSocket message release Informational WebSocket Passive
110003 Information Disclosure - Debug Error Messages via WebSocket release Low WebSocket Passive
110004 Email address found in WebSocket message release Informational WebSocket Passive
110005 Personally Identifiable Information via WebSocket release High WebSocket Passive
110006 Private IP Disclosure via WebSocket release Low WebSocket Passive
110007 Username Hash Found in WebSocket message release Informational WebSocket Passive
110008 Information Disclosure - Suspicious Comments in XML via WebSocket release Informational WebSocket Passive