Stack Overflow
Stack Overflow

Questions tagged [zap]

OWASP Zed Attack Proxy (ZAP)

https://www.owasp.org/index.php/ZAP

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

432 questions
31
votes
3 answers

Adding authentication in ZAP tool to attack a URL

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
user2323844
  • 361
  • 3
  • 6
  • 9
5
votes
1 answer

Can Owasp Zap be used to proxy all http and https traffic through an HTTPS connection?

I've just started using Zap, and am successfully running it in Firefox and Chrome. I'd like to use it to automatically serve it's SSL cert for non https sites as well. So for example, I'd like it to be able to serve http://example.com as…
Brad Parks
  • 54,283
  • 54
  • 221
  • 287
5
votes
1 answer

OWASP ZAP - how to "prove" false positives?

Our customer requires us to run the OWASP ZAP tool against our web application (ASP.NET 4.5.2, Webforms) and we cannot have any high priority findings in the report. We've done the analysis, and OWASP ZAP reports two vulnerabilities which both are…
marc_s
  • 675,133
  • 158
  • 1,253
  • 1,388
4
votes
0 answers

How to scan particular URL or page alone in owasp zap

I have installed OWASP ZAP 2.8.0 and scan our site fully. In result we got some SQL injection URL's or pages. So We have fixed that SQL injection issues in development which is mentioned OWASP tool. How to scan the particular page or URL in…
karthik anandan
  • 79
  • 2
4
votes
1 answer

NTLM authentication in ZAP

I'm trying to do some penetration testing of REST Api using ZAP. Api uses windows authentication [domain\username] and is hosted locally on a specific port. First I did a test using postman to try to connect and make an example request. My config…
Chris4D
  • 137
  • 2
  • 11
4
votes
2 answers

Owasp Zap Testing rest api

Is that possible to testing rest-api via OWASP ZAP ? Url to attack worked just for GET requests. For example, my api controllers work with only token. I have TokenController and this controller require POST data via JSON data include password and…
Сергей
  • 468
  • 3
  • 9
  • 24
4
votes
0 answers

How to use Postman with OSWAP Zap Proxy?

I'm trying to explore a REST API using ZAP and Postman but I get an error probably because I didn't set up something right. Should I add the SA certificate from ZAP to Postman? Could not get any response There was an error connecting to…
dmz73
  • 1,458
  • 3
  • 19
  • 32
4
votes
1 answer

Can ZAP be used for SPA application

I have a SPA application (angularjs front end/restfull WebAPI back end). SPA is by design using client routing - i.e. typical "page" looks like http://contosco.com#/page1 http://contosco.com#/page2 .. etc I know that ZAP has "ajax spidering" mode in…
Ondrej Svejdar
  • 19,236
  • 4
  • 49
  • 77
4
votes
0 answers

Selenium and Cucumber proxy setting (cucumber.xml or CucumberRunner)

Trying to set proxy (to OWASP ZAP Proxy port) in Cucumber via property, but to no available. cucumber.xml
dev
  • 915
  • 7
  • 25
4
votes
1 answer

OWASP's ZAP and the Fuzz ability

My scenario: I navigate to a login page. I put in a known username with a bad password. ZAP picks this up no issue. I select the POST to the login page. I find the lines that contain the Username and password. The…
James Craig
  • 448
  • 3
  • 9
  • 20
3
votes
1 answer

How can we integrate Owasp ZAP & Cypress?

Is there any way we can integrate Owasp Zap security testing tool with Cypress?
Nidhi
  • 31
  • 2
3
votes
1 answer

OWASP ZAP scan returns "Application Error Disclosure" to javascript library. Is it false positive? How to proove that or fix?

After automatic scan with OWASP ZAP 2.8.0 I have "Application Error Disclosure" with javascript file (moxiejs library). Site is based on wordpress updated to the newest version. How to fix this vulnerabity? Or is it a false positive? Medium…
Ilona K
  • 58
  • 1
  • 7
3
votes
0 answers

I am trying to Automate security testing of web applications using owasp ZAP in jenkins.I am getting the following issue

The issue is as follows: 5825 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing... 5854 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider... 5854 [ZAP-SpiderInitThread-0] WARN…
Reshma k
  • 31
  • 4
3
votes
2 answers

Pass login parameters to scan with owasp zap on docker command

I'm trying to execute a command to attack an application with login but I dont know how to pass my user and password to the url. The login sends a post with user and password to verify if exist. command to atack. docker run --rm -v…
Pedro Mercado
  • 56
  • 7
3
votes
1 answer

How to use OWASP ZAP for MiTM attack on Android?

I know that I have not handled MiTM in my Android application and it might be vulnerable. I want to test scenario by connecting my Android phone via proxy (my laptop) and using any possible tools to check for MiTM attack.
Husyn
  • 1,661
  • 1
  • 19
  • 35
1
2 3
28 29