zap – Page 3 – WindowsTechs.com

Zap API: endpoints unavailable

Posted on February 15, 2021 by postoronnim

I am running Zap version 2.10.0 and was hoping to gain more control of logins with users.authenticate_as_user, link
It is, however, unavailable as when I list attributes of a users object in python I only get (besides dunder methods):
‘get… Continue reading Zap API: endpoints unavailable→

Certificate warning with NoxPlayer and OWASP ZAP

Posted on February 1, 2021 by Eggs_on_rocks

I have tried to dip my toe into android hacking. I followed this helpful article on Medium.
I’m using NoxPlayer emulator and OWASP ZAP as proxy. I have rooted the device, imported certificate from ZAP, changed the file extension to .cer . … Continue reading Certificate warning with NoxPlayer and OWASP ZAP→

How do you weigh security issues you find?

Posted on February 1, 2021 by Mornon

We have weekly security test scans of our projects with QWASP ZAP, which of course always results in security issues that need to be fixed.
Unfortunately, we are more and more in disagreement about the prioritization. Yes, it is certainly … Continue reading How do you weigh security issues you find?→

Remote OS Command Injection – scanned by ZAP

Posted on December 17, 2020 by sanba06c

A web scan by ZAP indicated that my website is vulnerable to a Remote OS command injection. Details are below:
This is the URL the scanner found vulnerable:
https://[redacted]/[redacted]?address=ZAP%22%26sleep+15%26%22&email=foo-bar%40… Continue reading Remote OS Command Injection – scanned by ZAP→

Remote file inclusion (RFI) found – vulnerability or false positive?

Posted on December 3, 2020 by Lonzak

For educational purposes, I am pentesting an app server of mine. I am using ZAP and it reports a remote file inclusion vulnerability. I looked at it and think its a false positive but before I miss something I wanted to ask the community:
… Continue reading Remote file inclusion (RFI) found – vulnerability or false positive?→

Detailed explanations on OWASP Zap Security scan rules

Posted on November 11, 2020 by yello_flash

As an example, I have installed Anti-CSRF Scanning rule in ZAP proxy and scanned a POST request which does not verify the CSRF token value from the back end. Ideally, it is a CSRF vulnerability, but ZAP proxy scanner did not detect that. I… Continue reading Detailed explanations on OWASP Zap Security scan rules→

Doesn’t seem to change _csrf token

Posted on August 28, 2020 by William

I recently saw a very interesting post from a person describing all the steps he would take before running a scan (https://groups.google.com/g/zaproxy-users/c/SMd9OmcVWbE). It caught my attention because I do exactly the same thing he does… Continue reading Doesn’t seem to change _csrf token→

Auto-login to refresh token in Burp Suite 2

Posted on August 7, 2020 by William

I want to run an automatic scan on a web application made with Angular and JSNode. On this one I have access to different types of accounts. On ZAP OWASP I can select the POST request, it detects the parameters in the request, I show it wh… Continue reading Auto-login to refresh token in Burp Suite 2→

ZAP Error [java.net.ConnectException]: Connection refused (Connection refused)

Posted on May 31, 2020 by MrPython

I am trying to connect to http://challenge01.root-me.org/web-serveur/ch10/ in Firefox with FoxyProxy and OWASP ZAP and I got this error message

ZAP Error [java.net.ConnectException]: Connection refused (Connection refused)

Stack Trace:
… Continue reading ZAP Error [java.net.ConnectException]: Connection refused (Connection refused)→

Is it possible to see the history of SSL handshakes going out of OWASP ZAP proxy?

Posted on May 3, 2020 by desudesudesu

Let’s say I perform some request through OWASP ZAP local proxy, and it fails SSL handshake for some reason.

Is there any way to see what SSL certificates zaproxy offered during the handshake, at which url etc?

Continue reading Is it possible to see the history of SSL handshakes going out of OWASP ZAP proxy?→