Collaborate Disseminate
I am trying to run OWASP ZAP automatically using command line. I have tried using the API as described here, but I am getting these errors.
I have also tried with zapr, but it’s also showing error as set path while I have try to set it by … Continue reading How to run OWASP ZAP automatically using command line operations (i.e. Jenkins) [closed]
I want to integrate OWASP Zap security tests in my continuous integration chain using the official Jenkins plugin.
However, since it injects harmful payloads in database, I don’t want the database to become corrupted! And it… Continue reading Owasp Zap’s active scan harming the database
I want to integrate OWASP Zap security tests in my continuous integration chain using the official Jenkins plugin.
However, since it injects harmful payloads in database, I don’t want the database to become corrupted! And it… Continue reading Owasp Zap’s active scan harming the database
I am looking to automate ZAP security scans so that they are run after each deployment for which appveyor will be used. As we push towards continuous delivery, deployments will be more and more frequent so it would be much mo… Continue reading How can I set up OWASP ZAP scans to run after deployment through appveyor?
For context I recently started working through the WebGoat appsec training program, and have hit a wall passing data to a program needed to complete a lesson.
One of the first lesson sets is entitled ""Access Control Flaws"…. Continue reading How can I intercept localhost traffic to/from WebGoat with ZED attack proxy?
We are trying to integrate OWASP ZAP scans to our Build Cycle. When a new build reaches the QA team, they run an automation tool similar to Selenium, which opens a Firefox web-browser in a Windows machine and runs their test cases. Being completely new to ZAP, this is what I have setup now to get the scan results from those tests regularly.
Installed the ZAP tool in a Linux machine and it is running in
daemon mode with an api-key on port 8080
Made changes in Firefox settings in the Automation Test machine so
that each new Firefox profiles opened by Selenium will have the proxy pointed to <IP_of_ZAP_Machine:8080>.
A cronjob will run every midnight that does the following in this order:
Collects the URLs scanned by calling the URL
http://IP_of_ZAP_Machine:8080/XML/core/view/sites/?zapapiformat=XML
Generates a list of URLs which shows alerts for each ‘sites’
obtained from the previous step.
Example: http://IP_of_ZAP_Machine:8080/HTML/core/view/alerts/?zapapiformat=HTML&baseurl=https%3A%2F%2Fwww.example.com&start=&count= for the results of scan on https://www.example.com
Downloads the scan results in HTML format by calling all the URLs from the above step and putting all the HTMLs in a ZIP file.
Emails the ZIP file to my team.
Loads a new session so that the results e-mailed next midnight will contain results only from the previous midnight. The new session is loaded using the URL
http://IP_of_ZAP_Machine:8080/JSON/core/action/newSession/?zapapiformat=JSON&apikey=<my_api_key>&name=${newsessionname}&overwrite=
While I am getting the scan results as expected everyday, the questions is: Am I doing it right? Is there a more correct or established way of doing this?
Note: Results from all the steps are logged into a log file for future verification.
Continue reading Integrating ZAP to SDLC. Am I doing it right?
I am trying to pentest a web application, which seems to be using the user’s smartcard for building up the SSL tunnel, and by that implementing smartcard authentication. My problem is that I haven’t found a proxy, which is ab… Continue reading HTTP proxy for smart card based SSL
How can I exclude POST requests in OWASP ZAP? It is spamming a lot of forms and contact forms and therefore interrupting the normal operations of a website. Can I exclude this with a regex or is there an option build in?
… Continue reading OWASP ZAP disable POST requests (out of scope) [migrated]
I am a new in OWASP ZAP, so I need your help.
I have vulnerability site – DVWA. I am trying to work on token (CSRF) in bruteforce.
When page load I have HTML form with login, password and user-token. Third field are filled by dynamic token (CSRF).
I need to use bruteforce with CSRF token.
user_token from loaded pageAs I understand, I need to create script for receiving user_token from loaded page and then run Attak -> Fuzz on authorization link, then select user_token value and add playload script that will fill it on each request.
But I can’t find any information on the Internet how to create this script. Can anyone please help me?
Continue reading How to get CSRF token on authorization request with OWASP ZAP in bruteforce mode
I have Zed Attack Proxy (ZAP) on my machine and my browser is Firefox. When I route the browser traffic through the ZAP proxy (using FoxyProxy), if it’s HTTPS traffic, Firefox says “Your connection is not secure” and that’s i… Continue reading Why are HTTPS requests blocked by Firefox when using ZAP proxy?