ZAP Alert Details

ZAP provides the following HTTP passive and active scan rules which find specific vulnerabilities.

Note that these are examples of the alerts raised - many rules include different details depending on the exact problem encountered.

Only the release rules are included in ZAP by default, the beta and alpha rules can be installed via the ZAP Marketplace.

You can also use HTTP passive and active scripts, examples of which are available in the ZAP community scripts repo, as well as Websocket passive scripts.

Id Alert Status Risk Type
0 Directory Browsing release Medium Active Scan Rule
2 Private IP Disclosure release Low Passive Scan Rule
3 Session ID in URL Rewrite release Medium Passive Scan Rule
6 Path Traversal release High Active Scan Rule
7 Remote File Inclusion release High Active Scan Rule
41 Source Code Disclosure - Git beta High Active Scan Rule
42 Source Code Disclosure - SVN beta Medium Active Scan Rule
43 Source Code Disclosure - File Inclusion beta High Active Scan Rule
10003 Vulnerable JS Library release Medium Passive Scan Rule
10009 In Page Banner Information Leak alpha Passive Scan Rule
10010 Cookie No HttpOnly Flag release Low Passive Scan Rule
10011 Cookie Without Secure Flag release Low Passive Scan Rule
10015 Incomplete or No Cache-control and Pragma HTTP Header Set release Passive Scan Rule
10016 Web Browser XSS Protection Not Enabled deprecated Passive Scan Rule
10017 Cross-Domain JavaScript Source File Inclusion release Passive Scan Rule
10019 Content-Type Header Missing release Passive Scan Rule
10020 X-Frame-Options Header release Passive Scan Rule
10020-1 X-Frame-Options Header Not Set release Medium Passive Scan Rule
10020-2 Multiple X-Frame-Options Header Entries release Medium Passive Scan Rule
10020-3 X-Frame-Options Defined via META (Non-compliant with Spec) release Medium Passive Scan Rule
10020-4 X-Frame-Options Setting Malformed release Medium Passive Scan Rule
10021 X-Content-Type-Options Header Missing release Passive Scan Rule
10023 Information Disclosure - Debug Error Messages release Passive Scan Rule
10024 Information Disclosure - Sensitive Information in URL release Passive Scan Rule
10025 Information Disclosure - Sensitive Information in HTTP Referrer Header release Passive Scan Rule
10026 HTTP Parameter Override beta Passive Scan Rule
10027 Information Disclosure - Suspicious Comments release Passive Scan Rule
10028 Open Redirect beta Passive Scan Rule
10029 Cookie Poisoning beta Passive Scan Rule
10030 User Controllable Charset beta Passive Scan Rule
10031 User Controllable HTML Element Attribute (Potential XSS) beta Passive Scan Rule
10032 Viewstate release Passive Scan Rule
10032-1 Potential IP Addresses Found in the Viewstate release Medium Passive Scan Rule
10032-2 Emails Found in the Viewstate release Medium Passive Scan Rule
10032-3 Old Asp.Net Version in Use release Low Passive Scan Rule
10032-4 Viewstate without MAC Signature (Unsure) release High Passive Scan Rule
10032-5 Viewstate without MAC Signature (Sure) release High Passive Scan Rule
10032-6 Split Viewstate in Use release Informational Passive Scan Rule
10033 Directory Browsing beta Passive Scan Rule
10034 Heartbleed OpenSSL Vulnerability (Indicative) beta Passive Scan Rule
10035 Strict-Transport-Security Header beta Passive Scan Rule
10036 HTTP Server Response Header beta Passive Scan Rule
10037 Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) release Passive Scan Rule
10038 Content Security Policy (CSP) Header Not Set beta Passive Scan Rule
10039 X-Backend-Server Header Information Leak beta Passive Scan Rule
10040 Secure Pages Include Mixed Content release Passive Scan Rule
10041 HTTP to HTTPS Insecure Transition in Form Post beta Passive Scan Rule
10042 HTTPS to HTTP Insecure Transition in Form Post beta Passive Scan Rule
10043 User Controllable JavaScript Event (XSS) beta Passive Scan Rule
10044 Big Redirect Detected (Potential Sensitive Information Leak) beta Passive Scan Rule
10045 Source Code Disclosure - /WEB-INF folder release High Active Scan Rule
10046 Insecure Component deprecated Passive Scan Rule
10047 HTTPS Content Available via HTTP beta Low Active Scan Rule
10048 Remote Code Execution - Shell Shock beta High Active Scan Rule
10049 Content Cacheability alpha Passive Scan Rule
10050 Retrieved from Cache beta Passive Scan Rule
10051 Relative Path Confusion beta Medium Active Scan Rule
10052 X-ChromeLogger-Data (XCOLD) Header Information Leak beta Passive Scan Rule
10053 Apache Range Header DoS (CVE-2011-3192) beta Medium Active Scan Rule
10054 Cookie Without SameSite Attribute release Passive Scan Rule
10055 CSP release Passive Scan Rule
10056 X-Debug-Token Information Leak release Passive Scan Rule
10057 Username Hash Found release Passive Scan Rule
10058 GET for POST beta Informational Active Scan Rule
10061 X-AspNet-Version Response Header release Passive Scan Rule
10062 PII Disclosure beta Passive Scan Rule
10063 Feature Policy Header Not Set alpha Passive Scan Rule
10070 Use of SAML alpha Passive Scan Rule
10094 Base64 Disclosure alpha Passive Scan Rule
10095 Backup File Disclosure beta Medium Active Scan Rule
10096 Timestamp Disclosure release Passive Scan Rule
10097 Hash Disclosure beta Passive Scan Rule
10098 Cross-Domain Misconfiguration release Passive Scan Rule
10099 Source Code Disclosure alpha Passive Scan Rule
10103 Image Location and Privacy Scanner beta Passive Scan Rule
10104 User Agent Fuzzer beta Informational Active Scan Rule
10105 Weak Authentication Method release Passive Scan Rule
10106 HTTP Only Site beta Medium Active Scan Rule
10107 Httpoxy - Proxy Header Misuse beta High Active Scan Rule
10108 Reverse Tabnabbing beta Passive Scan Rule
10109 Modern Web Application beta Passive Scan Rule
10110 Dangerous JS Functions alpha Passive Scan Rule
10202 Absence of Anti-CSRF Tokens release Passive Scan Rule
20012 Anti-CSRF Tokens Check beta High Active Scan Rule
20014 HTTP Parameter Pollution beta Informational Active Scan Rule
20015 Heartbleed OpenSSL Vulnerability beta High Active Scan Rule
20016 Cross-Domain Misconfiguration beta High Active Scan Rule
20017 Source Code Disclosure - CVE-2012-1823 beta High Active Scan Rule
20018 Remote Code Execution - CVE-2012-1823 beta High Active Scan Rule
20019 External Redirect release High Active Scan Rule
30001 Buffer Overflow release Medium Active Scan Rule
30002 Format String Error release Medium Active Scan Rule
30003 Integer Overflow Error beta Medium Active Scan Rule
40003 CRLF Injection release Medium Active Scan Rule
40008 Parameter Tampering release Medium Active Scan Rule
40009 Server Side Include release High Active Scan Rule
40012 Cross Site Scripting (Reflected) release High Active Scan Rule
40013 Session Fixation beta High Active Scan Rule
40014 Cross Site Scripting (Persistent) release High Active Scan Rule
40015 LDAP Injection alpha High Active Scan Rule
40016 Cross Site Scripting (Persistent) - Prime release Informational Active Scan Rule
40017 Cross Site Scripting (Persistent) - Spider release Informational Active Scan Rule
40018 SQL Injection release High Active Scan Rule
40019 SQL Injection - MySQL beta High Active Scan Rule
40020 SQL Injection - Hypersonic SQL beta High Active Scan Rule
40021 SQL Injection - Oracle beta High Active Scan Rule
40022 SQL Injection - PostgreSQL beta High Active Scan Rule
40023 Possible Username Enumeration beta Informational Active Scan Rule
40024 SQL Injection - SQLite beta High Active Scan Rule
40025 Proxy Disclosure beta Medium Active Scan Rule
40026 Cross Site Scripting (DOM Based) beta High Active Scan Rule
40027 SQL Injection - MsSQL beta High Active Scan Rule
40028 ELMAH Information Leak release Medium Active Scan Rule
40029 Trace.axd Information Leak beta Medium Active Scan Rule
40032 .htaccess Information Leak release Medium Active Scan Rule
40033 NoSQL Injection - MongoDB alpha High Active Scan Rule
40034 .env Information Leak beta Medium Active Scan Rule
40035 Hidden File Finder beta Medium Active Scan Rule
40036 JWT Scan Rule alpha Medium Active Scan Rule
90001 Insecure JSF ViewState release Passive Scan Rule
90002 Java Serialization Object alpha Passive Scan Rule
90003 Sub Resource Integrity Attribute Missing alpha Passive Scan Rule
90004 Insufficient Site Isolation Against Spectre Vulnerability alpha Passive Scan Rule
90004-1 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive Scan Rule
90004-2 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive Scan Rule
90004-3 Insufficient Site Isolation Against Spectre Vulnerability alpha Low Passive Scan Rule
90011 Charset Mismatch release Passive Scan Rule
90017 XSLT Injection beta Medium Active Scan Rule
90018 Advanced SQL Injection beta High Active Scan Rule
90019 Server Side Code Injection release High Active Scan Rule
90020 Remote OS Command Injection release High Active Scan Rule
90021 XPath Injection beta High Active Scan Rule
90022 Application Error Disclosure release Medium Passive Scan Rule
90023 XML External Entity Attack beta High Active Scan Rule
90024 Generic Padding Oracle beta High Active Scan Rule
90025 Expression Language Injection beta High Active Scan Rule
90027 Cookie Slack Detector beta Informational Active Scan Rule
90028 Insecure HTTP Method beta Medium Active Scan Rule
90033 Loosely Scoped Cookie release Passive Scan Rule
90034 Cloud Metadata Potentially Exposed beta High Active Scan Rule