ZAP Scans on ZAP /docs/scans/ Recent content in ZAP Scans on ZAP Hugo en-us ZAP Authentication Tests /docs/scans/auth/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/auth/ <p>Testing ZAP authentication handling against a range of test and real world applications.</p> <p>Columns:</p> <ul> <li><strong>Type</strong>: <ul> <li><strong>stdbba</strong>: Standard <a href="/docs/desktop/addons/authentication-helper/browser-auth/">Browser Based Authentication</a>, just the login URL and credentials, no additional configuration</li> <li><strong>bbaplus</strong>: <a href="/docs/desktop/addons/authentication-helper/browser-auth/">Browser Based Authentication</a> with some additional configuration</li> <li><strong>csa</strong>: <a href="/docs/desktop/addons/authentication-helper/client-script/">Client Script Authentication</a>, using a client side Zest script to authenticate</li> </ul> </li> <li><strong>Auth</strong>: Did ZAP succeed in authentication to this site? This is the key column</li> <li><strong>Username</strong>: Did ZAP find the username field? Only applicable to Browser Based Auth</li> <li><strong>Password</strong>: Did ZAP find the password field? Only applicable to Browser Based Auth</li> <li><strong>Session Mgmt</strong>: Did ZAP identify the session management method?</li> <li><strong>Verification</strong>: Did ZAP identify a suitable verification URL?</li> </ul> <table> <tr> <th>Site</th> <th>Type</th> <th>Auth</th> <th>Username</th> <th>Password</th> <th>Session Mgmt</th> <th>Verification</th> <th>Note</th> </tr><tr> <td><a href="http://aspnet.testsparker.com">http://aspnet.testsparker.com</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/complexAuth/">https://authenticationtest.com/complexAuth/</a></td> <td>bbaplus</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/complexAuth/">https://authenticationtest.com/complexAuth/</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-fail">&#10060; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/delayChallenge/">https://authenticationtest.com/delayChallenge/</a></td> <td>bbaplus</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/delayChallenge/">https://authenticationtest.com/delayChallenge/</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-fail">&#10060; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/simpleFormAuth/">https://authenticationtest.com/simpleFormAuth/</a></td> <td>bbaplus</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/simpleFormAuth/">https://authenticationtest.com/simpleFormAuth/</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-fail">&#10060; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/totpChallenge/">https://authenticationtest.com/totpChallenge/</a></td> <td>bbaplus</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://authenticationtest.com/totpChallenge/">https://authenticationtest.com/totpChallenge/</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-fail">&#10060; </div></td> <td></td> </tr><tr> <td><a href="https://bsky.app">https://bsky.app</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td>BBA is failing verification detection.</td> </tr><tr> <td><a href="https://ctflearn.com">https://ctflearn.com</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://ginandjuice.shop">https://ginandjuice.shop</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://hack-yourself-first.com">https://hack-yourself-first.com</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-fail">&#10060; </div></td> <td></td> </tr><tr> <td><a href="https://infosec.exchange">https://infosec.exchange</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://www.instagram.com">https://www.instagram.com</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td>BBA is failing due to popups.</td> </tr><tr> <td><a href="https://www.linkedin.com">https://www.linkedin.com</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://bugzilla.mozilla.org">https://bugzilla.mozilla.org</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="http://php.testsparker.com">http://php.testsparker.com</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://www.reddit.com">https://www.reddit.com</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="http://testasp.vulnweb.com">http://testasp.vulnweb.com</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="http://testfire.net">http://testfire.net</a></td> <td>bbaplus</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="http://testfire.net">http://testfire.net</a></td> <td>csa</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-na">&mdash; </div></td><td align="center"><div class="scan-result-na">&mdash; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="http://testfire.net">http://testfire.net</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="http://testhtml5.vulnweb.com">http://testhtml5.vulnweb.com</a></td> <td>stdbba</td> <td><div class="scan-result-fail">&#10060; Failed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-fail">&#10060; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="http://testphp.vulnweb.com">http://testphp.vulnweb.com</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://en.wikipedia.org">https://en.wikipedia.org</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td></td> </tr><tr> <td><a href="https://zoom.us">https://zoom.us</a></td> <td>stdbba</td> <td><div class="scan-result-pass">&#10003; Passed </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td><td align="center"><div class="scan-result-pass">&#10003; </div></td> <td>BBA is failing due to popups.</td> </tr></table> <h4 id="configuration">Configuration <a class="header-link" href="#configuration"><svg class="fill-current o-60 hover-accent-color-light" height="22px" viewBox="0 0 24 24" width="22px" xmlns="http://www.w3.org/2000/svg"><path d="M0 0h24v24H0z" fill="none"/><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z" fill="currentColor"/></svg></a></h4> <table> <thead> <tr> <th>Config</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Frequency</td> <td>Daily &amp; On-demand</td> </tr> <tr> <td>Scripts</td> <td><a href="https://github.com/zapbot/zap-mgmt-scripts/blob/master/scans/auth/">https://github.com/zapbot/zap-mgmt-scripts/blob/master/scans/auth/</a></td> </tr> <tr> <td>Action</td> <td><a href="https://github.com/zapbot/zap-mgmt-scripts/blob/master/.github/workflows/auth-tests.yml">https://github.com/zapbot/zap-mgmt-scripts/blob/master/.github/workflows/auth-tests.yml</a></td> </tr> </tbody> </table> <h4 id="settings">Settings <a class="header-link" href="#settings"><svg class="fill-current o-60 hover-accent-color-light" height="22px" viewBox="0 0 24 24" width="22px" xmlns="http://www.w3.org/2000/svg"><path d="M0 0h24v24H0z" fill="none"/><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z" fill="currentColor"/></svg></a></h4> <p>The latest <a href="https://github.com/zaproxy/zaproxy/pkgs/container/zaproxy">Nightly ZAP Docker image</a> is run with the default settings against these apps with no exceptions.</p> ZAP vs Firing Range /docs/scans/firingrange/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/firingrange/ <p>Google Firing Range is a test bed for automated web application security scanners.</p> <p>It is available online at <a href="https://public-firing-range.appspot.com/">https://public-firing-range.appspot.com/</a> and the GitHub repo is <a href="https://github.com/google/firing-range">https://github.com/google/firing-range</a></p> <p>It does not appear to be being actively maintained and some of the tests no longer appear to work with modern browsers.</p> <p>Tests which we are sure are no longer valid are marked: &ldquo;⚠️ No vuln&rdquo; - if you can prove otherwise then please let us know!</p> ZAP vs OWASP Benchmark /docs/scans/benchmark/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/benchmark/ <p>OWASP Benchmark is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools.</p> <p>You can find the home page for the project at <a href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a> and the source code at <a href="https://github.com/OWASP-Benchmark/BenchmarkJava">https://github.com/OWASP-Benchmark/BenchmarkJava</a>.</p> <p>Click on the Sections to see the full set of results, which include the path of the test in the application and the scan rule which should find the vulnerability.</p> ZAP vs OWASP Juice Shop /docs/scans/juiceshop/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/juiceshop/ <p>OWASP Juice Shop is &ldquo;probably the most modern and sophisticated insecure web application!&rdquo;.</p> <p>The main project page is <a href="https://owasp.org/www-project-juice-shop/">https://owasp.org/www-project-juice-shop/</a></p> <p>It is actively maintained.</p> <p>In this case we use it to check that the <a href="/docs/desktop/addons/ajax-spider/">AJAX Spider</a> finds all of the expected pages. Juice Shop was manually explored using a browser - if you find a new URL in Juice Shop that can be discovered by &rsquo;normal' exploration but which is not listed then please <a href="https://github.com/zaproxy/zaproxy/issues/new?template=bug-report.yml">raise an issue</a>.</p> ZAP vs Security Crawl Maze /docs/scans/crawlmaze/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/crawlmaze/ <p>Google Security Crawl Maze is a comprehensive testbed for web security crawlers.</p> <p>It is available online at <a href="https://security-crawl-maze.app/">https://security-crawl-maze.app/</a> and the GitHub repo is <a href="https://github.com/google/security-crawl-maze">https://github.com/google/security-crawl-maze</a> It does appear to be being actively maintained and has merged a fix that we submitted.</p> <p>As long as one of the ZAP spiders finds the relevant page we count that as a pass, but ideally both spiders will find as many of the URLs as possible.</p> ZAP vs WAVSEP /docs/scans/wavsep/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/wavsep/ <p>WAVSEP is a vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners.</p> <p>It is the most comprehensive OSS DAST specific test suite that we know of.</p> <p>This version of WAVSEP is now maintained by the ZAP Team: <a href="https://github.com/zaproxy/wavsep">https://github.com/zaproxy/wavsep</a></p> <p>Click on the Sections to see the full set of results, which also give the local URL and the scan rule which should find the vulnerability.</p> ZAP vs Webseclab /docs/scans/webseclab/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/webseclab/ <p>Yahoo Webseclab is a set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners, to replicate or reconstruct issues, or to help with investigations or discussions of particular types of web security bugs.</p> <p>It is not available online, the GitHub repo is <a href="https://github.com/yahoo/webseclab">https://github.com/yahoo/webseclab</a></p> ZAP vs Websites Vulnerable to SSTI /docs/scans/ssti/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/scans/ssti/ <p>Websites Vulnerable to SSTI is a set of simple servers which are vulnerable to Server Side Template Injection.</p> <p>It is not available online, the GitHub repo is <a href="https://github.com/DiogoMRSilva/websitesVulnerableToSSTI">https://github.com/DiogoMRSilva/websitesVulnerableToSSTI</a> It is actively maintained by a ZAP contributor: <a href="https://github.com/DiogoMRSilva">Diogo Silva</a>.</p> <p>The vulnerabilities are reported by various ZAP scan rules - if any of them find a vulnerability then we count that as a pass.</p>