guide

ZAPping the OWASP Top 10

Posted 405 Words
This document gives an overview of the automatic and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2017 risks. Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way.

ZAP - API Scan

Posted 1111 Words
The ZAP API scan is a script that is available in the ZAP Docker images. It is tuned for performing scans against APIs defined by OpenAPI, or GraphQL (post 2.9.0) via either a local file or a URL. It imports the definition that you specify and then runs an Active Scan against the URLs found.

ZAP - Baseline Scan

Posted 1265 Words
The ZAP Baseline scan is a script that is available in the ZAP Docker images. It runs the ZAP spider against the specified target for (by default) 1 minute and then waits for the passive scanning to complete before reporting the results. This means that the script doesn't perform any actual ‘attacks’ and will run for a relatively short period of time (a few minutes at most).

ZAP - Full Scan

Posted 504 Words
The ZAP full scan is a script that is available in the ZAP Docker images. It runs the ZAP spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results. This means that the script does perform actual ‘attacks’ and can potentially run for a long period of time.

ZAP - Scan Hooks

Posted 366 Words
Scan Hooks To make it easy to make little tweaks here and there a hook system is in place to help you. It enables you to override or modify behaviour of the script components instead of having to write a new script. Use Cases Modifying Args For the AJAX crawler you may want to target a suburl with a specific hash (http://example.

ZAP - Webswing Usage

Posted 169 Words
Starting with version 2.5.0 you can run the ZAP Desktop UI in your browser without having to install Java, thanks to the magic of Docker and Webswing To do this you will just need Docker installed. Start the container with webswing support: Stable: docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.

ZAP Docker User Guide

Posted 839 Words
Introduction Docker image with OWASP Zed Attack Proxy preinstalled. Details Install Instructions: For the stable release: docker pull owasp/zap2docker-stable For the latest weekly release: docker pull owasp/zap2docker-weekly For the live release (built whenever the zaproxy project is changed): docker pull owasp/zap2docker-live For the bare release (a very small Docker image, contains only the necessary required dependencies to run ZAP, ideal for CI environments):