ZAP Alert Details

ZAP provides the following HTTP passive and active scan rules which find specific vulnerabilities.

Note that these are examples of the alerts raised - many rules include different details depending on the exact problem encountered.

Only the release rules are included in ZAP by default, the beta and alpha rules can be installed via the ZAP Marketplace.

You can also use HTTP passive and active scripts, examples of which are available in the ZAP community scripts repo, as well as Websocket passive scripts.

Many alerts support tags which allow you to see which alerts are related to, for example, specific OWASP Top Ten categories or OWASP Web Service Testing Guide chapters.

Some alerts are only relevant for specific technologies - if you know your target app does not use some of these technologies then you can configure ZAP to skip those tests.

The CWE and WASC columns are only shown on wider screens - if you are using a mobile phone then try turning your screen sideways if you want to see them.

ID Alert Status Risk Type CWE WASC
0 Directory Browsing release Medium Active 548 48
2 Private IP Disclosure release Low Passive 200 13
3 Session ID in URL Rewrite release Passive
3-1 Session ID in URL Rewrite release Medium Passive 200 13
3-2 Session ID in URL Rewrite release Medium Passive 200 13
3-3 Referer Exposes Session ID release Medium Passive 200 13
6 Path Traversal release Active
6-1 Path Traversal release High Active 22 33
6-2 Path Traversal release High Active 22 33
6-3 Path Traversal release High Active 22 33
6-4 Path Traversal release High Active 22 33
6-5 Path Traversal release High Active 22 33
7 Remote File Inclusion release High Active 98 5
41 Source Code Disclosure - Git beta High Active 541 34
42 Source Code Disclosure - SVN beta Medium Active 541 34
43 Source Code Disclosure - File Inclusion beta High Active 541 33
10003 Vulnerable JS Library release Medium Passive 829
10009 In Page Banner Information Leak beta Low Passive 200 13
10010 Cookie No HttpOnly Flag release Low Passive 1004 13
10011 Cookie Without Secure Flag release Low Passive 614 13
10015 Re-examine Cache-control Directives release Informational Passive 525 13
10016 Web Browser XSS Protection Not Enabled deprecated Passive
10017 Cross-Domain JavaScript Source File Inclusion release Low Passive 829 15
10019 Content-Type Header Missing release Passive
10019-1 Content-Type Header Missing release Informational Passive 345 12
10019-2 Content-Type Header Empty release Informational Passive 345 12
10020 Anti-clickjacking Header release Passive
10020-1 Missing Anti-clickjacking Header release Medium Passive 1021 15
10020-2 Multiple X-Frame-Options Header Entries release Medium Passive 1021 15
10020-3 X-Frame-Options Defined via META (Non-compliant with Spec) release Medium Passive 1021 15
10020-4 X-Frame-Options Setting Malformed release Medium Passive 1021 15
10021 X-Content-Type-Options Header Missing release Low Passive 693 15
10023 Information Disclosure - Debug Error Messages release Low Passive 200 13
10024 Information Disclosure - Sensitive Information in URL release Informational Passive 200 13
10025 Information Disclosure - Sensitive Information in HTTP Referrer Header release Informational Passive 200 13
10026 HTTP Parameter Override beta Medium Passive 20 20
10027 Information Disclosure - Suspicious Comments release Informational Passive 200 13
10028 Open Redirect release High Passive 601 38
10029 Cookie Poisoning release Informational Passive 565 20
10030 User Controllable Charset release Informational Passive 20 20
10031 User Controllable HTML Element Attribute (Potential XSS) release Informational Passive 20 20
10032 Viewstate release Passive
10032-1 Potential IP Addresses Found in the Viewstate release Medium Passive 642 14
10032-2 Emails Found in the Viewstate release Medium Passive 642 14
10032-3 Old Asp.Net Version in Use release Low Passive 642 14
10032-4 Viewstate without MAC Signature (Unsure) release High Passive 642 14
10032-5 Viewstate without MAC Signature (Sure) release High Passive 642 14
10032-6 Split Viewstate in Use release Informational Passive 642 14
10033 Directory Browsing release Medium Passive 548 16
10034 Heartbleed OpenSSL Vulnerability (Indicative) release High Passive 119 20
10035 Strict-Transport-Security Header release Passive
10035-1 Strict-Transport-Security Header Not Set release Low Passive 319 15
10035-2 Strict-Transport-Security Disabled release Low Passive 319 15
10035-3 Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) release Low Passive 319 15
10035-4 Strict-Transport-Security Header on Plain HTTP Response release Informational Passive 319 15
10035-5 Strict-Transport-Security Missing Max-Age (Non-compliant with Spec) release Low Passive 319 15
10035-6 Strict-Transport-Security Defined via META (Non-compliant with Spec) release Low Passive 319 15
10035-7 Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) release Low Passive 319 15
10035-8 Strict-Transport-Security Malformed Content (Non-compliant with Spec) release Low Passive 319 15
10036 HTTP Server Response Header release Passive
10036-1 Server Leaks its Webserver Application via "Server" HTTP Response Header Field release Informational Passive 200 13
10036-2 Server Leaks Version Information via "Server" HTTP Response Header Field release Low Passive 200 13
10037 Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) release Low Passive 200 13
10038 Content Security Policy (CSP) Header Not Set release Passive
10038-1 Content Security Policy (CSP) Header Not Set release Medium Passive 693 15
10038-2 Obsolete Content Security Policy (CSP) Header Found release Informational Passive 693 15
10038-3 Content Security Policy (CSP) Report-Only Header Found release Informational Passive 693 15
10039 X-Backend-Server Header Information Leak release Low Passive 200 13
10040 Secure Pages Include Mixed Content release Low Passive 311 4
10041 HTTP to HTTPS Insecure Transition in Form Post release Medium Passive 319 15
10042 HTTPS to HTTP Insecure Transition in Form Post release Medium Passive 319 15
10043 User Controllable JavaScript Event (XSS) release Informational Passive 20 20
10044 Big Redirect Detected (Potential Sensitive Information Leak) release Passive
10044-1 Big Redirect Detected (Potential Sensitive Information Leak) release Low Passive 201 13
10044-2 Multiple HREFs Redirect Detected (Potential Sensitive Information Leak) release Low Passive 201 13
10045 Source Code Disclosure - /WEB-INF Folder release Active
10045-1 Source Code Disclosure - /WEB-INF Folder release High Active 541 34
10045-2 Properties File Disclosure - /WEB-INF folder release High Active 541 34
10046 Insecure Component deprecated Passive
10047 HTTPS Content Available via HTTP beta Low Active 311 4
10048 Remote Code Execution - Shell Shock beta Active
10048-1 Remote Code Execution - Shell Shock beta High Active 78 31
10048-2 Remote Code Execution - Shell Shock beta High Active 78 31
10049 Content Cacheability beta Passive
10049-1 Non-Storable Content beta Informational Passive 524 13
10049-2 Storable but Non-Cacheable Content beta Informational Passive 524 13
10049-3 Storable and Cacheable Content beta Informational Passive 524 13
10050 Retrieved from Cache release Passive
10050-1 Retrieved from Cache release Informational Passive
10050-2 Retrieved from Cache release Informational Passive
10051 Relative Path Confusion beta Medium Active 20 20
10052 X-ChromeLogger-Data (XCOLD) Header Information Leak release Medium Passive 200 13
10053 Apache Range Header DoS (CVE-2011-3192) deprecated Medium Active 400 10
10054 Cookie without SameSite Attribute release Passive
10054-1 Cookie without SameSite Attribute release Low Passive 1275 13
10054-2 Cookie with SameSite Attribute None release Low Passive 1275 13
10054-3 Cookie with Invalid SameSite Attribute release Low Passive 1275 13
10055 CSP release Passive
10055-1 CSP: X-Content-Security-Policy release Low Passive 693 15
10055-2 CSP: X-WebKit-CSP release Low Passive 693 15
10055-3 CSP: Notices release Low Passive 693 15
10055-4 CSP: Wildcard Directive release Medium Passive 693 15
10055-5 CSP: script-src unsafe-inline release Medium Passive 693 15
10055-6 CSP: style-src unsafe-inline release Medium Passive 693 15
10055-7 CSP: script-src unsafe-hashes release Medium Passive 693 15
10055-8 CSP: style-src unsafe-hashes release Medium Passive 693 15
10055-9 CSP: Malformed Policy (Non-ASCII) release Medium Passive 693 15
10055-10 CSP: script-src unsafe-eval release Medium Passive 693 15
10055-11 CSP: Meta Policy Invalid Directive release Medium Passive 693 15
10055-12 CSP: Header & Meta release Informational Passive 693 15
10056 X-Debug-Token Information Leak release Low Passive 200 13
10057 Username Hash Found release Informational Passive 284 2
10058 GET for POST release Informational Active 16 20
10061 X-AspNet-Version Response Header release Low Passive 933 14
10062 PII Disclosure release High Passive 359 13
10063 Permissions Policy Header Not Set beta Passive
10063-1 Permissions Policy Header Not Set beta Low Passive 693 15
10063-2 Deprecated Feature Policy Header Set beta Low Passive 16 15
10070 Use of SAML alpha Passive
10094 Base64 Disclosure alpha Passive
10094-1 ASP.NET ViewState Disclosure alpha Informational Passive 200 13
10094-2 ASP.NET ViewState Integrity alpha High Passive 642 13
10094-3 Base64 Disclosure alpha Informational Passive 200 13
10095 Backup File Disclosure beta Medium Active 530 34
10096 Timestamp Disclosure - Unix release Low Passive 200 13
10097 Hash Disclosure - MD4 / MD5 release Low Passive 200 13
10098 Cross-Domain Misconfiguration release Medium Passive 264 14
10099 Source Code Disclosure - PHP beta Medium Passive 540 13
10101 Access Control Issue - Improper Authentication alpha High Tool 287 1
10102 Access Control Issue - Improper Authorization alpha High Tool 205 2
10103 Image Exposes Location or Privacy Data beta Informational Passive 200 13
10104 User Agent Fuzzer release Informational Active
10105 Weak Authentication Method release Passive
10105-1 Authentication Credentials Captured release Medium Passive 287 1
10105-2 Weak Authentication Method release Medium Passive 326 4
10106 HTTP Only Site beta Medium Active 311 4
10107 Httpoxy - Proxy Header Misuse beta High Active 20 20
10108 Reverse Tabnabbing release Medium Passive
10109 Modern Web Application release Informational Passive
10110 Dangerous JS Functions beta Low Passive 749
10111 Authentication Request Identified beta Informational Passive
10112 Session Management Response Identified beta Informational Passive
10113 Verification Request Identified beta Informational Passive
10202 Absence of Anti-CSRF Tokens release Medium Passive 352 9
20012 Anti-CSRF Tokens Check beta Medium Active 352 9
20014 HTTP Parameter Pollution beta Informational Active 20 20
20015 Heartbleed OpenSSL Vulnerability release High Active 119 20
20016 Cross-Domain Misconfiguration beta Active
20016-1 Cross-Domain Misconfiguration - Adobe - Read beta High Active 264 14
20016-2 Cross-Domain Misconfiguration - Adobe - Send beta High Active 264 14
20016-3 Cross-Domain Misconfiguration - Silverlight beta High Active 264 14
20017 Source Code Disclosure - CVE-2012-1823 release High Active 20 20
20018 Remote Code Execution - CVE-2012-1823 release High Active 20 20
20019 External Redirect release Active
20019-1 External Redirect release High Active 601 38
20019-2 External Redirect release High Active 601 38
20019-3 External Redirect release High Active 601 38
20019-4 External Redirect release High Active 601 38
30001 Buffer Overflow release Medium Active 120 7
30002 Format String Error release Medium Active 134 6
30003 Integer Overflow Error beta Medium Active 190 3
40003 CRLF Injection release Medium Active 113 25
40008 Parameter Tampering release Medium Active 472 20
40009 Server Side Include release High Active 97 31
40012 Cross Site Scripting (Reflected) release High Active 79 8
40013 Session Fixation beta High Active 384 37
40014 Cross Site Scripting (Persistent) release High Active 79 8
40015 LDAP Injection alpha High Active 90 29
40016 Cross Site Scripting (Persistent) - Prime release Informational Active 79 8
40017 Cross Site Scripting (Persistent) - Spider release Informational Active 79 8
40018 SQL Injection release High Active 89 19
40019 SQL Injection - MySQL release High Active 89 19
40020 SQL Injection - Hypersonic SQL release High Active 89 19
40021 SQL Injection - Oracle release High Active 89 19
40022 SQL Injection - PostgreSQL release High Active 89 19
40023 Possible Username Enumeration beta Informational Active 200 13
40024 SQL Injection - SQLite release High Active 89 19
40025 Proxy Disclosure beta Medium Active 200 45
40026 Cross Site Scripting (DOM Based) release High Active 79 8
40027 SQL Injection - MsSQL release High Active 89 19
40028 ELMAH Information Leak release Medium Active 94 14
40029 Trace.axd Information Leak release Medium Active 215 13
40031 Out of Band XSS beta High Active 79 8
40032 .htaccess Information Leak release Medium Active 94 14
40033 NoSQL Injection - MongoDB alpha High Active 943 19
40034 .env Information Leak release Medium Active 215 13
40035 Hidden File Found release Medium Active 538 13
40036 JWT Scan Rule alpha Medium Active
40038 Bypassing 403 beta Medium Active
40039 Web Cache Deception alpha Medium Active
40040 CORS Header beta Active
40040-1 CORS Header beta Informational Active 942 14
40040-2 CORS Misconfiguration beta Medium Active 942 14
40040-3 CORS Misconfiguration beta High Active 942 14
40041 File Upload alpha Medium Active
40042 Spring Actuator Information Leak release Medium Active 215 13
40043 Log4Shell release Active
40043-1 Log4Shell (CVE-2021-44228) release High Active 117 20
40043-2 Log4Shell (CVE-2021-45046) release High Active 117 20
40044 Exponential Entity Expansion (Billion Laughs Attack) beta Medium Active 776 44
40045 Spring4Shell release High Active 78 20
40046 Server Side Request Forgery beta High Active 918 20
40047 Text4shell (CVE-2022-42889) beta High Active 117 20
50007 ExtensionGraphQl alpha Tool
50007-1 GraphQL Endpoint Supports Introspection alpha Informational Tool 16 15
50007-2 GraphQL Server Implementation Identified alpha Informational Tool 205 45
90001 Insecure JSF ViewState release Medium Passive 642 14
90002 Java Serialization Object beta Medium Passive 502
90003 Sub Resource Integrity Attribute Missing beta Medium Passive 345 15
90004 Insufficient Site Isolation Against Spectre Vulnerability beta Passive
90004-1 Insufficient Site Isolation Against Spectre Vulnerability beta Low Passive 693 14
90004-2 Insufficient Site Isolation Against Spectre Vulnerability beta Low Passive 693 14
90004-3 Insufficient Site Isolation Against Spectre Vulnerability beta Low Passive 693 14
90005 Fetch Metadata Request Headers alpha Passive
90005-1 Sec-Fetch-Site Header is Missing alpha Informational Passive 352 9
90005-2 Sec-Fetch-Mode Header is Missing alpha Informational Passive 352 9
90005-3 Sec-Fetch-Dest Header is Missing alpha Informational Passive 352 9
90005-4 Sec-Fetch-User Header is Missing alpha Informational Passive 352 9
90005-5 Sec-Fetch-Site Header Has an Invalid Value alpha Informational Passive 352 9
90005-6 Sec-Fetch-Mode Header Has an Invalid Value alpha Informational Passive 352 9
90005-7 Sec-Fetch-Dest Header Has an Invalid Value alpha Informational Passive 352 9
90005-8 Sec-Fetch-User Header Has an Invalid Value alpha Informational Passive 352 9
90011 Charset Mismatch release Informational Passive 436 15
90017 XSLT Injection release Medium Active 91 23
90018 Advanced SQL Injection beta High Active 89 19
90019 Server Side Code Injection release Active
90019-1 Server Side Code Injection - PHP Code Injection release High Active 94 20
90019-2 Server Side Code Injection - ASP Code Injection release High Active 94 20
90020 Remote OS Command Injection release High Active 78 31
90021 XPath Injection release High Active 643 39
90022 Application Error Disclosure release Medium Passive 200 13
90023 XML External Entity Attack release High Active 611 43
90024 Generic Padding Oracle release High Active 209 20
90025 Expression Language Injection beta High Active 917 20
90026 SOAP Action Spoofing beta High Active
90027 Cookie Slack Detector beta Informational Active 200 45
90028 Insecure HTTP Method beta Medium Active 200 45
90029 SOAP XML Injection beta High Active
90030 WSDL File Detection beta Passive
90033 Loosely Scoped Cookie release Informational Passive 565 15
90034 Cloud Metadata Potentially Exposed release High Active
90035 Server Side Template Injection release High Active 94 20
90036 Server Side Template Injection (Blind) release High Active 74 20
90039 NoSQL Injection - MongoDB (Time Based) alpha High Active 943 19
110001 Application Error Disclosure via WebSockets release Medium WebSocket Passive 209 13
110002 Base64 Disclosure in WebSocket message release Informational WebSocket Passive
110003 Information Disclosure - Debug Error Messages via WebSocket release Low WebSocket Passive 200 13
110004 Email address found in WebSocket message release Informational WebSocket Passive 200 13
110005 Personally Identifiable Information via WebSocket release High WebSocket Passive 359 13
110006 Private IP Disclosure via WebSocket release Low WebSocket Passive
110007 Username Hash Found in WebSocket message release Informational WebSocket Passive 284 2
110008 Information Disclosure - Suspicious Comments in XML via WebSocket release Informational WebSocket Passive 200 13
110009 Full Path Disclosure alpha Low Passive 209 13
120000 Information Disclosure - Information in Browser Storage alpha Client Passive
120000-1 Information Disclosure - Information in Browser localStorage alpha Informational Client Passive 200 13
120000-2 Information Disclosure - Information in Browser sessionStorage alpha Informational Client Passive 200 13
120001 Information Disclosure - Sensitive Information in Browser Storage alpha Client Passive
120001-1 Information Disclosure - Sensitive Information in Browser localStorage alpha Low Client Passive 200 13
120001-2 Information Disclosure - Sensitive Information in Browser sessionStorage alpha Low Client Passive 200 13
120002 Information Disclosure - JWT in Browser Storage alpha Client Passive
120002-1 Information Disclosure - JWT in Browser localStorage alpha Medium Client Passive 200 13
120002-2 Information Disclosure - JWT in Browser sessionStorage alpha Informational Client Passive 200 13