ZAP – Scripts

Using ZAP's Encode/Decode/Hash Add-on with CyberChef via Encode/Decode Scripts

Posted Tuesday February 17, 2026 741 Words

Combine the Encode/Decode/Hash add-on with CyberChef operations in ZAP Encode/Decode Scripts for flexible encoding, decoding, and hashing in your testing workflow.

ZAP Scripts are now Full Scan Rules!

Posted Wednesday July 17, 2024 982 Words

ZAP scripts can now do everything that scan rules can.

Signing Requests using RSA Keys

Posted Monday January 29, 2024 496 Words

A new script in the community-scripts repository enables the signing of outgoing requests with RSA keys, addressing the challenge of testing applications that require this functionality.

Hacking ZAP - ZAP Extender Scripts

Posted Tuesday September 13, 2022 658 Words

An overview of ZAP Extender scripts with examples. Use ZAP as a web server, subscribe to internal ZAP events, and more!

Script Languages

Posted Monday January 1, 0001 65 Words

ZAP supports the following scripting languages:

Language / Link	Included	Notes
JavaScript	By Default	Based on the GraalVM JavaScript engine.
Zest	By Default	A graphical security scripting language, ZAPs macro language on steroids.
BeanShell	Optional	A BeanShell Console with limited capabilities.
Groovy	Optional	Based on Groovy 5.0.3.
Kotlin	Optional	Based on Kotlin 1.3.72.
Python	Optional	Based on Jython 2.7.2.
Ruby	Optional	Based on JRuby 1.7.4.

Script Capabilities

As noted on the Script Console page:

⚠️ Warning

Scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!

Script Types

Posted Monday January 1, 0001 279 Words

ZAP supports the following script types:

Name	Key / Examples	Description
Active Rules	active	Scripts that run as part of the Active Scanner to perform custom scan checks.
Authentication	authentication	Scripts invoked when performing authentication for a Context.
Encode / Decode	encode-decode	Scripts that provide custom data encoding and decoding.
Extender	extender	Scripts that add new functionality, including UI elements and API endpoints.
Fuzzer HTTP Processor	httpfuzzerprocessor	Scripts that process HTTP fuzzer messages before or after sending.
Fuzzer Websocket Processor	websocketfuzzerprocessor	Scripts that process WebSocket fuzzer messages.
HTTP Sender	httpsender	Scripts that run for every HTTP request and response processed by ZAP.
Input Vector	variant	Scripts that define exactly what the Active Scanner will attack.
Passive Rules	passive	Scripts that run as part of the Passive Scanner to perform custom checks.
Payload Generator	payloadgenerator	Scripts that generate payloads for fuzzing.
Payload Processor	payloadprocessor	Scripts that process or modify payloads during fuzzing.
Proxy	proxy	Scripts that run inline on proxied traffic and can modify and drop requests and responses.
Selenium	selenium	Scripts that automate browser interactions using browsers launched from ZAP.
Sequence	sequence	Scripts that define sequences of HTTP requests to model workflows.
Session Management	session	Scripts that define how sessions are managed for a Context.
Stand Alone	standalone	Scripts that are run manually.
Targeted	targeted	Scripts that are run manually against a specified target URL.
Websocket Passive	websocketpassive	Scripts that analyse WebSocket messages without modifying traffic.
Websocket Sender	websocketsender	Scripts that run for every Websocket message processed by ZAP.

The links in the Key / Examples column point to the corresponding directories in the ZAP community-scripts repository, which contains example scripts contributed by the community for each script type.

Tag: Scripts