Tag: guide

Verifying Your Changes

Posted 227 Words
Code Formatting The ZAP code must conform to standard formatting rules - if any changes do not conform then they will fail the build. Fortunately you do not have to worry about these too much - just run the task: ./gradlew spotlessApply. Linting While not currently mandatory, we do recommend running SonarLint against any changes you make and fixing anything that it reports.

ZAPping the OWASP Top 10 (2021)

Posted 374 Words
This document gives an overview of the automatic and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2021 risks. For the previous Top Ten see ZAPping the OWASP Top 10 (2017) Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way.

Building ZAP with IntelliJ IDEA

Posted 619 Words
This guide explains how to make changes to ZAP using IntelliJ IDEA. Preparation You will need to have followed the Quick Start Guide to Building ZAP and installed a version of IntelliJ IDEA. Gradle Resources Working with ZAP in IntelliJ IDEA may need a bit more Java resources for the Gradle actions.

Creating a New Add-on in zap-extensions

Posted 650 Words
ZAP has a plugin architecture and new functionality is implemented via add-ons. Add-ons can be defined in any repository but most of the ones that the ZAP core team maintains live in zap-extensions. You should use this repository if you are planning on contributing your add-on to the ZAP project, but please talk to the ZAP Core team about this first via the ZAP Developer Group.

Building ZAP with Eclipse

Posted 564 Words
If you want to make changes to ZAP using the Eclipse IDE then you are in the right place. Preparation You will need to have followed the Quick Start Guide to Building ZAP and installed a version of Eclipse suitable for Java development. We would suggest the “Eclipse IDE for Java Developers” package.

Automation Framework

Posted 457 Words
The new Automation Framework will in time replace the Command Line and Packaged Scan options. It allows you to control ZAP via one YAML file and provides more flexibility while not being tied to any specific container technology. The Automation Framework is included with the latest version of ZAP as well as the stable docker image.

Development Rules and Guidelines

Posted 945 Words
This may look like a long list of rules but hopefully many of them are just good development practice. If you are just getting started with ZAP development then do not worry to much about them, but if you plan to make bigger contributions then you should check them before making too many changes that you might need to rework.

A Quick Start Guide to Building ZAP

Posted 867 Words
Have you ever wanted to play around with the ZAP codebase but felt it was too overwhelming? This guide will walk you through building ZAP from the command line regardless of the operating system and IDE you’re using. You can also follow along with Simon as he sets the ZAP development environment in this Deep Dive video:

ZAPping the OWASP Top 10 (2017)

Posted 417 Words
This document gives an overview of the automatic and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2017 risks. For the latest Top Ten see ZAPping the OWASP Top 10 (2021) Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way.

Authentication - Concepts

Posted 452 Words
These are the concepts that you will need to understand in order to configure authentication in ZAP. Contexts ZAP contexts are a way of relating a set of URLs together. You can define any contexts you like, but it is expected that a context will correspond to a web application.

Authentication - Make your Life Easier

Posted 340 Words
Authentication is a key way of restricting access to an app. Some authentication mechanisms also make it significantly harder to use tools like ZAP, even for those people who have permission to use them. Test in a Safe Environment Testing with valid credentials in a production environment is a really bad idea.

Authentication - Manual

Posted 339 Words
If you are just performing manual testing then authentication is generally easier. With manual testing you should be exploring the target app manually with a browser that is proxying through ZAP. In this case you can just use the valid credentials in the browser and in most cases you will be logged in.

Authentication - Session Handling

Posted 554 Words
If ZAP is handling authentication then it needs to handle sessions as well - logging in is of no use if ZAP does not maintain the session as the target app will just treat ZAP as being unauthenticated. Session management configuration is part of a ZAP context.

Diagnosing Authentication Problems

Posted 277 Words
If you ask a question related to authentication on one of the ZAP forums then you will be directed here. We know that the ZAP authentication documentation needs improving. One of the reasons why it has not been improved is that we are too busy trying to answer authentication questions 😉.

Diagnosing Docker Problems

Posted 763 Words
Docker is a great way to run ZAP in a CI/CD pipeline, but diagnosing problems can be tricky. ZAP Cannot Connect to the Target If ZAP cannot connect to your target app then the first thing to do is to see if this is a ‘Docker’ networking issue.

Finding a Verification URL

Posted 249 Words
If you need to set up ZAP to handle authentication then you really need to find a suitable verification URL in your app. The verification URL will be one that you can request from the Manual Request Editor dialog and which will send a response that allows you to work out whether you are logged in or not.

Handling Authentication Yourself (in Automation)

Posted 461 Words
If you can generate an authentication token (e.g. to use in a header or cookie) and you know that your app will not invalidate it while you are using ZAP then one option is to handle authentication yourself. In this case you take on the responsibility for handling the authentication and session handling.

ZAP - API Scan

Posted 1116 Words
The ZAP API scan is a script that is available in the ZAP Docker images. It is tuned for performing scans against APIs defined by OpenAPI, SOAP, or GraphQL via either a local file or a URL. It imports the definition that you specify and then runs an Active Scan against the URLs found.

ZAP - Baseline Scan

Posted 1326 Words
The ZAP Baseline scan is a script that is available in the ZAP Docker images. It runs the ZAP spider against the specified target for (by default) 1 minute and then waits for the passive scanning to complete before reporting the results. This means that the script doesn’t perform any actual ‘attacks’ and will run for a relatively short period of time (a few minutes at most).

ZAP - Full Scan

Posted 504 Words
The ZAP full scan is a script that is available in the ZAP Docker images. It runs the ZAP spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results. This means that the script does perform actual ‘attacks’ and can potentially run for a long period of time.

ZAP - Scan Hooks

Posted 366 Words
Scan Hooks To make it easy to make little tweaks here and there a hook system is in place to help you. It enables you to override or modify behaviour of the script components instead of having to write a new script. Use Cases Modifying Args

ZAP - Webswing Usage

Posted 462 Words
Starting with version 2.5.0 you can run the ZAP Desktop UI in your browser without having to install Java, thanks to the magic of Docker and Webswing To do this you will just need Docker installed. Start the container with webswing support: Stable: docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.

ZAP Docker User Guide

Posted 1090 Words
Introduction Docker image with OWASP Zed Attack Proxy preinstalled. Details Install Instructions For the stable release: docker pull owasp/zap2docker-stable For the latest weekly release: docker pull owasp/zap2docker-weekly For the live release (built whenever the zaproxy project is changed): docker pull owasp/zap2docker-live For the bare release (a very small Docker image, contains only the necessary required dependencies to run ZAP, ideal for CI environments):