Features on ZAP

Active Scan

Mon, 01 Jan 0001 00:00:00 +0000

Active Scan

Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets.

Active scanning is an attack on those targets.

You should NOT use it on web applications that you do not own.

In order to facilitate identifying ZAP traffic and Web Application Firewall exceptions, ZAP is accompanied by a script “AddZapHeader.js” which can be used to add a specific header to all traffic that passes through or originates from ZAP. eg: X-ZAP-Initiator: 3

Add-ons

Mon, 01 Jan 0001 00:00:00 +0000

Add-ons

Add-ons add additional functionality to ZAP.

They have full access to all of the ZAP internals, and so can provide very powerful new features.

You can dynamically install add-ons from the online Add-on Marketplace via the Manage Add-ons dialog.

You can typically add and remove add-ons to and from the ZAP UI without having to restart it.

Alerts

Mon, 01 Jan 0001 00:00:00 +0000

Alerts

An alert is a potential vulnerability and is associated with a specific request.

A request can have more than one alert.

Alerts are shown in the UI with a flag indicating the risk:


	High
	Medium
	Low
	Informational
	False Positive

Alerts can be raised by various ZAP components, including but not limited to: active scanning, passive scanning, scripts, by addons (extensions), or manually using the Add Alert dialog (which also allows you to update or change alert details/information).

Anti CSRF Handling

Mon, 01 Jan 0001 00:00:00 +0000

Anti CSRF Tokens

Anti CSRF tokens are (pseudo) random parameters used to protect against Cross Site Request Forgery (CSRF) attacks.

However they also make a penetration testers job harder, especially if the tokens are regenerated every time a form is requested.

ZAP detects anti CSRF tokens purely by attribute names - the list of attribute names considered to be anti CSRF tokens is configured using the Options Anti CSRF screen.

API

Mon, 01 Jan 0001 00:00:00 +0000

API

ZAP provides an Application Programming Interface (API) which allows you to interact with ZAP programmatically.

The API is available in JSON, HTML and XML formats.

A simple web UI which allows you to explore and use the API is available via the URL http://zap/ when you are proxying via ZAP, or via the host and port ZAP is listening on, eg http://localhost:8080/.

Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Authentication

ZAP can handle a wide range of authentication mechanisms.
If you are new to ZAP automation then the best place to start is the ZAP Authentication Decision Tree (external link).

Each Context has:

an Authentication Method which defines how authentication is handled. The authentication is used to create Web Sessions that correspond to authenticated webapp Users.
an Authentication Verification Strategy which defines how ZAP should detect when messages correspond to authenticated requests.

You can use any combination of Authentication Method and Verification Strategy which works for your webapp.

Authentication Methods

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Methods

ZAP handles multiple types of authentication (called Authentication Methods ) that can be used for websites / webapps. Each Context has an Authentication Method defined which dictates how authentication is handled. The authentication is used to create Web Sessions that correspond to authenticated webapp Users.

Authentication methods can be used in multiple places around ZAP. Some of the examples include:

Authentication Verification Strategies

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Verification Strategies

Verification Strategies

ZAP supports multiple Verification Strategies in order to detect when messages correspond to authenticated requests.

Check every Response

When this strategy is used then ZAP will use the specified Regex Patterns on every response. This is typically useful for traditional webapps which return full HTML pages.

Breakpoints

Mon, 01 Jan 0001 00:00:00 +0000

Breakpoints

A breakpoint allows you to intercept a request from your browser and to change it before it is submitted to the web application you are testing.

You can also change the responses received from the application

The request or response will be displayed in the Break tab which allows you to change disabled or hidden fields, and will allow you to bypass client side validation (often enforced using javascript).

Callbacks

Mon, 01 Jan 0001 00:00:00 +0000

Callbacks

Various ZAP components (scan rules, etc) may leverage payloads which result in HTTP requests back to ZAP. Such callback requests may be triggered by the spider(s), a user, or a future action from a tertiary system.

The ZAP GUI includes a panel in which such requests can be reviewed: Callbacks tab.

Contexts

Mon, 01 Jan 0001 00:00:00 +0000

Contexts

Contexts are a way of relating a set of URLs together.

You can define any contexts you like, but it is expected that a context will correspond to a web application.

It is recommended that you define a new contexts for each web application that makes up the system you are testing, and set them in scope as you test each one.

Custom Page

Mon, 01 Jan 0001 00:00:00 +0000

Custom Page

ZAP can accommodate the definition of various non-standard error handling conditions.
Each Context may include multiple Custom Page definitions, with the following elements:

Enabled > Whether the definition is enabled or not.
Content > The String or Regex which defines the URL or response content to be matched.
Content Location > Whether the “Content” should be matched against a URL or response “Content”.
Is Regex? > Indicating whether or not “Content” is a regular expression or not.
Custom Page Type > Specifying what type of Custom Page is being defined:
- Error Page > For ‘500 - Internal Server Error’ type pages.
- Not Found > For ‘404 - Not Found’ responses.
- Ok > For ‘200 - Ok’ definitions
- Other > To facilitate use of Custom Pages in scripts or other usages that have not yet been foreseen.
- Auth. Issue > For Authentication/Authorization related responses. For example: ‘401 - Unauthorized’ or ‘403 - Forbidden’ type conditions.

Configuration example

A configuration example showing how to fully configure a webapp that returns a 200 - Ok response with the message “Sorry, we can’t seem to find what you were looking for” is seen below:

Data Driven Content

Mon, 01 Jan 0001 00:00:00 +0000

Data Driven Content

Data driven content is type of Structural Modifier which identifies URL paths that represent data.

In ’traditional’ web applications the structure of the application is typically defined by the URL paths and the data is contained in the URL parameters and POST data.

URLs like:

are represented in the Sites Tree as two ’nodes’ in the tree:

Globally Excluded URLs

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

HTTP Sessions

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Sessions

This tool keeps track of the existing HTTP Sessions on a particular Site and allows the ZAP user to force all requests to be on a particular session. Basically, it allows the user to easily switch between user sessions on a Site and to create a new Session without “destroying” the existing ones.

Manipulator-in-the-middle Proxy

Mon, 01 Jan 0001 00:00:00 +0000

Manipulator-in-the-middle Proxy

ZAP is a Manipulator-in-the-middle Proxy. It allows you to see all of the requests you make to a web app and all of the responses you receive from it.

Amongst other things this allows you to see AJAX calls that may not otherwise be obvious.

You can also set breakpoints which allow you to change the requests and responses on the fly.

Marketplace

Mon, 01 Jan 0001 00:00:00 +0000

Marketplace

ZAP Marketplace contains ZAP add-ons which have been written by the ZAP team and the community. The add-ons help to extend the functionalities of ZAP. You can browse and download add-ons from within ZAP by clicking on the ‘Manage Add-ons’ button in the toolbar and then selecting the Marketplace tab.

Modes

Mon, 01 Jan 0001 00:00:00 +0000

Modes

ZAP has a ‘mode’ which can be:

Safe - no potentially dangerous operations permitted.
Protected - you can only perform (potentially) dangerous actions on URLs in the scope.
Standard - does not restrict anything.
ATTACK - new nodes that are in scope are actively scanned as soon as they are discovered.

It is recommended that you use the Protected mode to ensure that you only attack sites that you mean to.

Notes

Mon, 01 Jan 0001 00:00:00 +0000

Notes

A note is any text that you wish to associate with a request.

For example you could use notes to record details of extra tests that you need to perform on a request.

Notes are added and changed using the Add Note dialog.

Notes are flagged in the History tab with the icon.

Passive Scan

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scan

The passive scanner is provided by the Passive Scanner add-on, which allows to passively scan messages (e.g. HTTP, WebSocket) proxied/sent through/by ZAP.

Software Bill of Materials

Mon, 01 Jan 0001 00:00:00 +0000

Software Bill of Materials

ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team. Each SBOM will appear as a file called “bom.json” included at the root of the ZAP JARs.

Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.

Scan Policy

Mon, 01 Jan 0001 00:00:00 +0000

Scan Policy

A scan policy defines exactly which rules are run as part of an active scan.

It also defines how these rules run influencing how many requests are made and how likely potential issues are to be flagged.

You can define as many scan policies as you like and select the most appropriate one when you start the scan via the Active Scan Dialog.

Scope

Mon, 01 Jan 0001 00:00:00 +0000

Scope

The Scope is the set of URLs you are testing, and is defined by the Contexts you have specified.

By default nothing is in scope.

The Scope potentially changes:

What you can do, when you are in Protected mode
What is shown in the History tab
Protected - user can only perform (potentially) dangerous actions on URLs in the Scope
Standard - as in previous releases, user can do anything
ATTACK - new nodes that are in Scope are actively scanned as soon as they are discovered

It is recommended that you define a new Context for each web application that makes up the system you are testing, and set them in scope as you test each one.

Scripts

Mon, 01 Jan 0001 00:00:00 +0000

Scripts

ZAP supports scripts that can be embedded within ZAP and can access internal ZAP data structures and classes. These scripts allow you to dynamically enhance ZAP from within ZAP.

ZAP supports any scripting language that supports JSR 223, including:

ECMAScript / JavaScript (through the GraalVM JavaScript add-on)
Zest
Groovy https://groovy-lang.org/
Kotlin https://kotlinlang.org/
Python https://www.jython.org
Ruby - https://jruby.org/
and many more…

WARNING - scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!

Session Management

Mon, 01 Jan 0001 00:00:00 +0000

Session Management

ZAP handles multiple types of session management (called Session Management Methods ) that can be used for websites / webapps. Each Context has a Session Management Method defined which dictates how sessions are kept.

Cookie-Based Session Management

In the case of this method the session is being tracked through cookies. Currently, the session tokens that are used are imported from the HTTP Sessions Extension.

Sites Tree

Mon, 01 Jan 0001 00:00:00 +0000

Sites Tree

The Sites Tree is ZAP’s internal representation of the sites that you access and is displayed in the Sites tab. If it does not accurately reflect the sites then ZAP will not be able to attack them effectively. Each node in the tree represents a different piece of functionality in a site. By default ZAP will create unique nodes in the tree based on the HTTP method and the parameter names.

Spider

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Statistics

Mon, 01 Jan 0001 00:00:00 +0000

Statistics

ZAP maintains statistics which can help you understand what is really happening when interacting with large applications.

The statistics are available via the API and can be also sent to a Statsd server when configured via the Options Statistics screen.

The full set of statistics maintained by the ZAP core and add-ons are maintained on the ZAP website: Internal Statistics.

Structural Modifiers

Mon, 01 Jan 0001 00:00:00 +0000

Structural Modifiers

Structural Modifiers are controls which change how ZAP represents the structure of the application.

The Sites Tree is ZAP’s representation of the application.

If it is not a good representation of the structure then ZAP will not be able to attack the application effectively.

There are currently 2 types of Structural Modifiers:

Structural Parameters

Mon, 01 Jan 0001 00:00:00 +0000

Structural Parameters

Structural parameters are a type of Structural Modifier which identify parameters that represent application structure instead of user data.

In ’traditional’ web applications the structure of the application is typically defined by the URL paths and the data is contained in the URL parameters and POST data.

Users

Mon, 01 Jan 0001 00:00:00 +0000

Users

Users are the ZAP representations of websites/webapps’ users. They allow certain actions to be performed from the point of view of an user of the webapps. For each Context, a set of Users can be defined, which can then be used in actions related to the context. Most commonly, during various scans the request messages can be sent from the point of view of a User.

Features on ZAP

Active Scan

Active Scan

Add-ons

Add-ons

Alerts

Alerts

Anti CSRF Handling

Anti CSRF Tokens

API

API

Authentication

Authentication

Authentication Methods

Authentication Methods

Authentication Verification Strategies

Authentication Verification Strategies

Verification Strategies

Check every Response

Breakpoints

Breakpoints

Callbacks

Callbacks

Contexts

Contexts

Custom Page

Custom Page

Configuration example

Data Driven Content

Data Driven Content

Globally Excluded URLs

HTTP Sessions

HTTP Sessions

Manipulator-in-the-middle Proxy

Manipulator-in-the-middle Proxy

Marketplace

Marketplace

Modes

Modes

Notes

Notes

Passive Scan

Passive Scan

Software Bill of Materials

Software Bill of Materials

Scan Policy

Scan Policy

Scope

Scope

Scripts

Scripts

Session Management

Session Management

Cookie-Based Session Management

Sites Tree

Sites Tree

Spider

Statistics

Statistics

Structural Modifiers

Structural Modifiers

Structural Parameters

Structural Parameters

Tags

Tags

Users

Users