What is the best way for OWASP Zap to handle Unique Fields and API Sequences?

First Situation: I proxy through some requests to zap and want to perform an active scan on them. Zap active scan is working on one property at a time, and this particular request requires some of the properties to be unique per request.

Continue reading What is the best way for OWASP Zap to handle Unique Fields and API Sequences?

Is it possible for OWASP ZAP to pass-through some requests without intercepting them, as if there were no proxy?

I have an iOS app with certificate pinning to two different servers.

I want to test this certificate pinning with a MITM attack, so I did:

Set proxy at my PC, in macos wifi settings -> advanced -> proxies -> enabled http/https proxy.
In… Continue reading Is it possible for OWASP ZAP to pass-through some requests without intercepting them, as if there were no proxy?

What is the best way for OWASP ZAP to add real data to the url parameters and the body requests so that the scan is most accurate?

I’m trying to import and scan Open API Definitions and it seems to me that the url parameters and request body are not being replaced with real data. Is there a way for OWASP ZAP to automatically replace those parameterand body requests wi… Continue reading What is the best way for OWASP ZAP to add real data to the url parameters and the body requests so that the scan is most accurate?