ZAP Session Database

ZAP stores its session data in an HSQLDB file database. There is also experimental support for other database engines.

Connecting to a Session Database

Since ZAP locks its session file, it is only possible to view or modify the database when ZAP doesn’t have the session open. Session files are usually stored under session/ in the default directory.

You may use the following details to connect to a session database. The following example assumes that your session file is called test.session and it is saved under ~/.ZAP_D/session/.

Connection Parameter Value
URL jdbc:hsqldb:file:~/.ZAP_D/session/test.session;ifexists=true
Username sa

There is no password required for the connection. The ifexists=true property in the URL prevents a new database from being created if one doesn’t exist already.

Implementation Details

The database is initialized using an SQL script called zapdb.script.

Core Tables

In the org.parosproxy.paros.db.paros.ParosDatabase class, multiple Table* instances are added as database listeners. The Table* classes create new tables in the database when a new connection is set up.

You can find some example tables in src/main/java/org/parosproxy/paros/db. New core tables must be added to src/main/java/org/zaproxy/zap/db

Add-on Tables

Add-ons may add tables to the session database as well. To do so, they can override org.parosproxy.paros.extension.ExtensionAdaptor#databaseOpen to register database listeners.

For example, the SOAP add-on adds a table called soap_wsdl which is used to store SOAP actions that are used in attacks.


HSQLDB Properties