The OWASP ZAP Desktop User Guide
ZAP can accommodate the definition of various non-standard error handling conditions.
Each Context may include multiple Custom Page definitions, with the following elements:
- Enabled > Whether the definition is enabled or not.
- Content > The String or Regex which defines the URL or response content to be matched.
- Content Location > Whether the “Content” should be matched against a URL or response “Content”.
- Is Regex? > Indicating whether or not “Content” is a regular expression or not.
- Custom Page Type > Specifying what type of Custom Page is being defined:
- Error Page > For ‘500 - Internal Server Error’ type pages.
- Not Found > For ‘404 - Not Found’ responses.
- Ok > For ‘200 - Ok’ definitions
- Other > To facilitate use of Custom Pages in scripts or other usages that have not yet been foreseen.
- Auth. Issue > For Authentication/Authorization related responses. For example: ‘401 - Unauthorized’ or ‘403 - Forbidden’ type conditions.
A configuration example showing how to fully configure a webapp that returns a 200 - Ok response with the message
“Sorry, we can’t seem to find what you were looking for” is seen below:
- Set up a context for the web application
- Make sure your browser proxies everything through ZAP and browse to a page or endpoint which doesn’t exist
- Go to ZAP and identify the request
- Set up the Custom Page definition:
- Highlight “Sorry, we can’t seem to find what you were looking for” in the response pane, Right click and ‘Flag as Context… Custom Page Indicator’
- A dialog will be opened already containing the highlighted response string.
- Accept the addition of the Custom Page definition.