IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [zap]

OWASP Zed Attack Proxy is a free and collaborative security tool. It is is devoted to the detection of vulnerabilities in web applications, for both beginners and professionals of application security

ZAP is an open-source software that includes many tools used to perform a wide range of penetration tests on a target web application. It is highly tunable, and thus allowing it to be applied on a large variety of applications. The basic startup tool also makes it easy to use for beginners.

It can be used as a basic scanner, or may be set up as a proxy between a navigator and the application backend.

It will eventually generate a list of vulnerabilities, classified according to OWASP Risk Rating Methodology

ZAP is developed and supported by a large community through its github.

95 questions
14
votes
2 answers

What are the differences between Burp and OWASP ZAP?

I am new to security testing and I'm confused about two web proxy tools, namely Burp and OWASP ZAP. Both seem to fulfill the same task, so what exactly are the differences between them?
Nitin Rastogi
  • 285
  • 1
  • 2
  • 8
7
votes
2 answers

How can I edit HTTP request in OWASP ZAP and send the edited request?

I'm aware of setting a breakpoint on a particular request and then when the request is made in the browser, the http request can be modified in ZAP. But is there any way in ZAP, by which an already made request can be edited and sent? For…
user5155835
  • 351
  • 2
  • 3
  • 10
7
votes
1 answer

How to supply HTTP Basic Authentication details in OWASP ZAP proxy?

I am using Basic HTTP Authentication to log into my Web Application. The credentials are Base64 encoded and sent to the Server. OWASP ZAP Proxy is intercepting the request and I can see the Authorization header included in my HTTP request. I want to…
Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
6
votes
2 answers

OWASP ZAP FUZZ functionality not highlighted

I am a beginner with ZAP. I am trying to use FUZZ logic for the passwords. But I can see that option when I click on the password at the request table but I am not able to click on it, as it is faint and non clickable. How do I activate it?
Manikya
  • 61
  • 3
5
votes
3 answers

Is non-executed content still considered XSS?

I'm working through an OWASP Zap report that has flagged several URLs on the domain as being vulnerable to XSS, but the vulnerability is never output in a context that is executable by the browser. For instance, the report is showing…
Noah Heck
  • 151
  • 3
5
votes
2 answers

Are files like favicon.ico, robots.txt, and sitemap.xml vulnerable to XSS?

A Zap scan against an app detected the "Web Browser XSS Protection Not Enabled" vulnerability on sitemap and favicon. Would it be safe to ignore those URLs or does it mean that the app is vulnerable? Here is the full output on…
postoronnim
  • 375
  • 3
  • 10
5
votes
2 answers

Why are HTTPS requests blocked by Firefox when using ZAP proxy?

I have Zed Attack Proxy (ZAP) on my machine and my browser is Firefox. When I route the browser traffic through the ZAP proxy (using FoxyProxy), if it's HTTPS traffic, Firefox says "Your connection is not secure" and that's it. I can't do anything.…
Jason Krs
  • 359
  • 2
  • 3
  • 12
5
votes
1 answer

What wordlist does OWASP ZAP spider use?

I am trying to figure out how OWASP ZAP discovered a directory on a practice vm, I entered the host IP and hit attack, and the spider discovered this directory (pChart2.3.1). I have searched every wordlist used by dirbuster and none of them contain…
user3046771
  • 165
  • 2
  • 11
5
votes
1 answer

Setting up OWASP ZAP Authentication

So I have recently been working on security testing with OWASP ZAP. However I have hit a road block in that I can't get the (ajax) spider to test within an authorized area of the single page application. I have looked at the different options in…
Josh Mc
  • 151
  • 1
  • 1
  • 4
4
votes
2 answers

False positive SQL Injection by ZAP with adding new parameter query

I have a spring MVC web application and am running ZAP Active scan on it. I noticed that ZAP will modify URL , and add additional parameter named query and value query+AND+1%3D1+--+ to test SQL Injection. And in my case, it raise HIGH MEDIUM SQL…
Hima
  • 41
  • 4
3
votes
1 answer

Is there a way to find out what information website queries about us?

What tool or software should I look for to find out what "fingerprinting" data a website is tracking? Like, I want to know, if website looks for a cache and/or fonts installed in system, or Canval, WebGL methods. There was a great project doing…
Anton
  • 141
  • 1
3
votes
2 answers

Integrating ZAP to SDLC. Am I doing it right?

We are trying to integrate OWASP ZAP scans to our Build Cycle. When a new build reaches the QA team, they run an automation tool similar to Selenium, which opens a Firefox web-browser in a Windows machine and runs their test cases. Being completely…
Sreeraj
  • 1,297
  • 1
  • 13
  • 21
3
votes
2 answers

How to get CSRF token on authorization request with OWASP ZAP in bruteforce mode

I am a new in OWASP ZAP, so I need your help. I have vulnerability site - DVWA. I am trying to work on token (CSRF) in bruteforce. When page load I have HTML form with login, password and user-token. Third field are filled by dynamic token (CSRF). I…
user2264941
  • 131
  • 1
  • 3
3
votes
1 answer

Why can I only view HTTPS traffic from some iOS apps with ZAP?

I've noticed a curious oddity with some traffic sniffing from my apps on my iPhone. I've installed the ZAP Proxy CA certificate on the device, but I've noticed I can sniff some app traffic, and others I can't. This was apparent six months ago, but…
Colin
  • 203
  • 1
  • 3
3
votes
2 answers

Can the OWASP ZAP check XSS for REST API?

I have a web application and I used OWASP ZAP for checking XSS. I tried two cases as example bellow: URL: localhost:8888/test/login Öogin page HTML: Login Page
nhatnguyen
  • 31
  • 1
  • 3
1
2 3 4 5 6 7