/docs/getting-further/scripting/ Recent content in Getting Further with ZAP Scripting on ZAP Hugo en-us /docs/getting-further/scripting/script-languages/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-further/scripting/script-languages/ <p>ZAP supports the following scripting languages:</p> <table> <thead> <tr> <th>Language / Link</th> <th>Included</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><a href="/docs/desktop/addons/graalvm-javascript/">JavaScript</a></td> <td>By Default</td> <td>Based on the GraalVM JavaScript engine.</td> </tr> <tr> <td><a href="/docs/desktop/addons/zest/">Zest</a></td> <td>By Default</td> <td>A graphical security scripting language, ZAPs macro language on steroids.</td> </tr> <tr> <td><a href="/docs/desktop/addons/bean-shell/">BeanShell</a></td> <td>Optional</td> <td>A BeanShell Console with limited capabilities.</td> </tr> <tr> <td><a href="/docs/desktop/addons/groovy-support/">Groovy</a></td> <td>Optional</td> <td>Based on Groovy 5.0.3.</td> </tr> <tr> <td><a href="/docs/desktop/addons/kotlin-support/">Kotlin</a></td> <td>Optional</td> <td>Based on Kotlin 1.3.72.</td> </tr> <tr> <td><a href="/docs/desktop/addons/python-scripting/">Python</a></td> <td>Optional</td> <td>Based on Jython 2.7.2.</td> </tr> <tr> <td><a href="/docs/desktop/addons/ruby-scripting/">Ruby</a></td> <td>Optional</td> <td>Based on JRuby 1.7.4.</td> </tr> </tbody> </table> /docs/getting-further/scripting/script-security/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-further/scripting/script-security/ <h3 id="script-capabilities">Script Capabilities <a class="header-link" href="#script-capabilities"><svg class="fill-current o-60 hover-accent-color-light" height="22px" viewBox="0 0 24 24" width="22px" xmlns="http://www.w3.org/2000/svg"><path d="M0 0h24v24H0z" fill="none"/><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z" fill="currentColor"/></svg></a></h3> <p>As noted on the <a href="/docs/desktop/addons/script-console/">Script Console</a> page:</p> <blockquote class="alert alert-warning"> <p class="alert-heading"> ⚠️ Warning </p> <div class="alert-content"> <p>Scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!</p> /docs/getting-further/scripting/script-types/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-further/scripting/script-types/ <p>ZAP supports the following script types:</p> <table> <thead> <tr> <th>Name</th> <th>Key / Examples</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Active Rules</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/active">active</a></td> <td>Scripts that run as part of the Active Scanner to perform custom scan checks.</td> </tr> <tr> <td>Authentication</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/authentication">authentication</a></td> <td>Scripts invoked when performing authentication for a Context.</td> </tr> <tr> <td>Encode / Decode</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/encode-decode">encode-decode</a></td> <td>Scripts that provide custom data encoding and decoding.</td> </tr> <tr> <td>Extender</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/extender">extender</a></td> <td>Scripts that add new functionality, including UI elements and API endpoints.</td> </tr> <tr> <td>Fuzzer HTTP Processor</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/httpfuzzerprocessor">httpfuzzerprocessor</a></td> <td>Scripts that process HTTP fuzzer messages before or after sending.</td> </tr> <tr> <td>Fuzzer Websocket Processor</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/websocketfuzzerprocessor">websocketfuzzerprocessor</a></td> <td>Scripts that process WebSocket fuzzer messages.</td> </tr> <tr> <td>HTTP Sender</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/httpsender">httpsender</a></td> <td>Scripts that run for every HTTP request and response processed by ZAP.</td> </tr> <tr> <td>Input Vector</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/variant">variant</a></td> <td>Scripts that define exactly what the Active Scanner will attack.</td> </tr> <tr> <td>Passive Rules</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/passive">passive</a></td> <td>Scripts that run as part of the Passive Scanner to perform custom checks.</td> </tr> <tr> <td>Payload Generator</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/payloadgenerator">payloadgenerator</a></td> <td>Scripts that generate payloads for fuzzing.</td> </tr> <tr> <td>Payload Processor</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/payloadprocessor">payloadprocessor</a></td> <td>Scripts that process or modify payloads during fuzzing.</td> </tr> <tr> <td>Proxy</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/proxy">proxy</a></td> <td>Scripts that run inline on proxied traffic and can modify and drop requests and responses.</td> </tr> <tr> <td>Selenium</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/selenium">selenium</a></td> <td>Scripts that automate browser interactions using browsers launched from ZAP.</td> </tr> <tr> <td>Sequence</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/sequence">sequence</a></td> <td>Scripts that define sequences of HTTP requests to model workflows.</td> </tr> <tr> <td>Session Management</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/session">session</a></td> <td>Scripts that define how sessions are managed for a Context.</td> </tr> <tr> <td>Stand Alone</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/standalone">standalone</a></td> <td>Scripts that are run manually.</td> </tr> <tr> <td>Targeted</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/targeted">targeted</a></td> <td>Scripts that are run manually against a specified target URL.</td> </tr> <tr> <td>Websocket Passive</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/websocketpassive">websocketpassive</a></td> <td>Scripts that analyse WebSocket messages without modifying traffic.</td> </tr> <tr> <td>Websocket Sender</td> <td><a href="https://github.com/zaproxy/community-scripts/tree/main/websocketsender">websocketsender</a></td> <td>Scripts that run for every Websocket message processed by ZAP.</td> </tr> </tbody> </table> <p>The links in the <strong>Key / Examples</strong> column point to the corresponding directories in the ZAP <a href="https://github.com/zaproxy/community-scripts">community-scripts</a> repository, which contains example scripts contributed by the community for each script type.</p>