zap – WindowsTechs.com

ZAP – Remote command injection found in API but real URL not shown anywhere, in scan returns 200 but manual test returns expected 400

Posted on August 15, 2023 by WesternGun

Using ZAP OWASP 2.13.0 and found a so-called "Remote command injection". But either in report or in Alerts the URL + query the URL does not contain attack string. Open the query in Request editor, the query is still correct.
Did … Continue reading ZAP – Remote command injection found in API but real URL not shown anywhere, in scan returns 200 but manual test returns expected 400→

ZAP authenticated scan without locking out the test user

Posted on August 8, 2023 by Richard Leonard Kirner

I’m trying to set up an authenticated scan for a webapp, lets say admin.example.com. The authentication is done by a different service login.example.com through a JSON AJAX call. After successful authentication, the login.example.com would… Continue reading ZAP authenticated scan without locking out the test user→

Why use OWASP ZAP when it could damage the web application?

Posted on July 9, 2023 by Wis

OWASP ZAP is used to scan vulnerability on web application but its site says " Because this is a simulation that acts like a real attack, actual damage can be done to a site’s functionality, data, etc."
So why would someone use i… Continue reading Why use OWASP ZAP when it could damage the web application?→

Any idea why the param being modifed was removed from the HTML output in ZAP?

Posted on June 20, 2023 by Floppa

http://xxx/?-d+allow_url_include%3D1+-d+auto_prepend_file%3Dphp%3A%2F%2Finput=%27+AND+4571%3D9588+AND+%27kISD%27%3D%27kISD

(Advanced SQL Injection)
here is the ZAP description:

The page results were successfully manipulated using the boo… Continue reading Any idea why the param being modifed was removed from the HTML output in ZAP?→

Adding Payload to URL-based SQL Injection: Seeking Guidance and Best Practices

Posted on June 18, 2023 by Floppa

I recently performed a vulnerability assessment on a system using ZAP (Zed Attack Proxy) and received a finding indicating a likely SQL injection vulnerability.

The query time is controllable using parameter value [case
randomblob(1000000… Continue reading Adding Payload to URL-based SQL Injection: Seeking Guidance and Best Practices→

ZAP HUD is different

Posted on February 17, 2023 by user289467

Started to get to grips with the OWASP ZAP tool, and can’t solve the problem related to the ZAP HUD.
Why does the ZAP HUD frames (on the left- and right-hand sides of page) on some sites (like Github) contain full set of tools, but on othe… Continue reading ZAP HUD is different→

Cannot run ZapProxy add_header_request.py – throwable exception

Posted on October 18, 2022 by Phil

I am dropping this
https://github.com/zaproxy/community-scripts/blob/main/httpsender/add_header_request.py into ZAP scripts window > Proxy
When I save and browse a site, I see java.lang.reflect.UndeclaredThrowableException
I expected t… Continue reading Cannot run ZapProxy add_header_request.py – throwable exception→

Zap: How to export Fuzzer results/report with the Request and Response?

Posted on July 12, 2022 by IAmMilinPatel

I’m relatively new to using OWASP ZAP. I tried fuzzing POST requests with Zap and am able to see all the messages sent in the Fuzzer tab.
When I select one of the messages in the Fuzzer tab, I can see the respective Request and Response in… Continue reading Zap: How to export Fuzzer results/report with the Request and Response?→

Brute force alphanumeric passwords between 1 to 7 characters long with ZAP

Posted on March 20, 2022 by kaynomi

In BurpSuite, you can brute force a password of any length and any character set (in my case, alphanumeric passwords between 1 to 7 characters long). How does one do it in OWASP ZAP, without actually generating a password list containing a… Continue reading Brute force alphanumeric passwords between 1 to 7 characters long with ZAP→

Is zap auto scan good enough? [closed]

Posted on March 1, 2022 by user12158726

Currently, I use zap auto scan and found some vulnerabilities such as missing header and cache control reported by the auto scanner.
Is auto scan good enough to give the dev team a security test report?
I saw a web checklist at OWASP websi… Continue reading Is zap auto scan good enough? [closed]→