Frequently Asked Questions on ZAP

Somethings not working. What should I do?

Mon, 01 Jan 0001 00:00:00 +0000

Somethings not working as you expect with ZAP, and you’re not sure if it’s a bug or a misunderstanding of how ZAP works.

The following steps may well help:

Check for Updates

Click on the ‘Manage Add-ons’ button on the toolbar and then click on the ‘Check for updates’ button.

Does ZAP offer community services?

Mon, 01 Jan 0001 00:00:00 +0000

Yes, the ZAP team currently offers the following services to the community.

Be Aware

The following are all subject to change without notice. We intend for them all to remain as-is over the long term, however, they are primarily intended to be used with ZAP and as such may change is/when required by the project/team.

How do I get a specific feature implemented in ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

You have 3 options:

Convince one of the existing ZAP developers that they should implement it
Convince someone else to implement it for you
Implement it yourself

Some of the ZAP core developers are paid to work on ZAP. If you can convince one of the us that we should implement it asap then this will probably be the quickest option as obviously we know the code base well. However we are all very busy and the companies who pay us have expectations on what we will deliver. We do have a lot of freedom to do what we think is right, but we all have a long list of things we’d really like to work on. But it doesn’t hurt to try.

How do I use Chrome with ZAP in Docker?

Mon, 01 Jan 0001 00:00:00 +0000

The Chrome browser is not included by default in the ZAP Docker images. This FAQ entry will walk-through the steps necessary to install and run Chrome with ZAP in a Docker container, to be used by its tools (e.g. DOM XSS Scan Rule, AJAX Spider).

Create a Dockerfile using one of the ZAP images and installing Chrome, e.g.:

FROM --platform=linux/amd64 zaproxy/zap-stable:latest

USER root

RUN apt-get update && \
	wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \
	apt-get install -y ./google-chrome-stable_current_amd64.deb && \
	rm -rf /var/lib/apt/lists/*

USER zap

Build the new image, e.g.: zap-chrome

docker build -f Dockerfile --platform linux/amd64 -t zap-chrome .

To verify everything is working create an Automation Framework plan called chrome.yaml with the following contents:

What 'calls home' does ZAP make?

Mon, 01 Jan 0001 00:00:00 +0000

From 2.12.0 all ZAP ‘calls home’ are made to the zaproxy.org domain.

The availability of these services is shown on an UptimeRobot dashboard.

Check for Updates

ZAP makes one request to https://cfu.zaproxy.org to see if ZAP or any of the add-ons are up to date.

What are the command line options?

Mon, 01 Jan 0001 00:00:00 +0000

Refer to command line help page.

What data does ZAP collect?

Mon, 01 Jan 0001 00:00:00 +0000

A.K.A. ZAP Privacy Statement

The ZAP Tool

As a Manipulator in the Middle (MitM) proxy ZAP is able to observe a large amount of potentially very sensitive information.

What does ZAP test for?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP supports:

HTTP active and passive scanning.
WebSockets passive scanning.

For a full list of the HTTP active and passive scan rules see the Alert Details page.

By default ZAP comes with the following (HTTP) scan rules:

But you can also download and install:

What is the default directory that ZAP uses?

Mon, 01 Jan 0001 00:00:00 +0000

The default directory that ZAP uses depends on the OS.

You can open the ZAP Home directory in your OS’s file explorer in ZAP via Help > Support Info ... and by clicking on the Open ZAP Home button.

It can be overridden using the -dir command line option.

What versions of Java are supported?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP should be able to run with all/newer Java versions, but might require a minimum for certain ZAP versions:

ZAP 2.16.0 and later requires a minimum of Java 17
ZAP 2.12.0 and later requires a minimum of Java 11
ZAP 2.7.0 and later requires a minimum of Java 8
ZAP 2.0.0 and later requires a minimum of Java 7
Previous versions of ZAP also support Java 6, the last of those being 1.4.1

Where can I ask ZAP related questions?

Mon, 01 Jan 0001 00:00:00 +0000

User Guide

The User Guide (which is also included with ZAP) is a good place to start.

User Group

The User Group is the best place for questions about using ZAP.

Where does ZAP put its logs?

Mon, 01 Jan 0001 00:00:00 +0000

Where is ZAP installed?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP is installed in different places depending on the OS.

The install directory contains everything that’s bundled with ZAP originally.

Windows 7 / 8 / 10

Underneath the Program Files directory, e.g.

Why does my Antivirus Tool Flag ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP Downloads

As of April 2025 browsers appear to be flagging the ZAP downloads as potentially dangerous.

This appears to be the ‘fault’ of the Google SafeBrowsing service.

Why does ZAP Access Out of Scope Domains?

Mon, 01 Jan 0001 00:00:00 +0000

You have automated ZAP to attack your site but then you see that there are other domains in the Sites Tree or in the report.

Does this mean ZAP has attacked those other domains?

No. ZAP will only attack the sites you specify.

However, the AJAX Spider and the DOM XSS Scan Rule both launch browsers. We allow the browsers to access certain off domain resources such as JavaScript files - blocking these often breaks the target sites and mean the AJAX Spider or DOM XSS Scan Rule would not work.

Why don't you rewrite ZAP in ?

Mon, 01 Jan 0001 00:00:00 +0000

OK, so this question doesn’t get asked all the time, but it does come up every so often.

So here’s the official response:

Firstly, do you really need ZAP rewritten?

ZAP supports all of the JSR 223 scripting languages, so you can already extend ZAP in a very wide range of scripting languages, including JavaScript, Jython, and Jruby.

Why is ZAP not available in my language?

Mon, 01 Jan 0001 00:00:00 +0000

We rely on people like yourself to translate ZAP into other languages.

If your language is not available then it means that we, the developers, unfortunately don’t speak your language well enough to translate it and no one else has volunteered.

However you can help :)

Get in touch with us if you want to translate ZAP into another language, we’d love to hear from you!

How can I add my own payloads to active scan rules?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP doesn’t just throw a load of payloads at a target to see what happens :)

The payloads are targeted based on the responses to other payloads so that it hopefully zeros in on specific vulnerabilities.

However there a various options:

Try out the custom payloads add-on which is supported by some of the existing rules
Change the existing rules to improve them - this blog post is a good place to start: Hacking ZAP: Active Scan Rules - if you do improve them then please submit pull requests :)
Write new rules to do whatever you want - this gives you full control, but could be a bit daunting to start with
Tweak the User defined attacks.js script - this is probably the easiest way to get started

How can I prevent ZAP from sending me 1000s of emails via a 'Contact Us' form?

Mon, 01 Jan 0001 00:00:00 +0000

In this case prevention is definitely better than cure.

By default when you use the ZAP spider and active scanner then ZAP will access all of the URLs, forms, and functionality it can find. If one of those results in your application sending emails then someone is going to get a LOT of emails. (Consider other scenarios like sending orders, HR actions, helpdesk tickets, etc.)

How can you speed up scans?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP finds vulnerabilities by sending lots of potentially malicious payloads at a target app and then trying to work out if the app is vulnerable to them. In order to find a wide range of vulnerabilities it has to send a lot of requests. This sort of scanning is going to take time.

How do I handle a False Positive?

Mon, 01 Jan 0001 00:00:00 +0000

False positives are where ZAP raises alerts for things that are not really vulnerabilities. You should make sure that you understand the potential vulnerability being reported and manually test it before concluding that it is not a real vulnerability.

Please report any false positives that you identify supplying as much information as you can, while obfuscating any sensitive information. New issues should just cover one scan rule and should include enough information for us to reproduce the problem. This will help us improve ZAP.

How do I report a False Negative?

Mon, 01 Jan 0001 00:00:00 +0000

False Negatives are where ZAP fails to identify an issue when it should.

Reporting these problems to us for passive scan rules is straightforward - just let us know the full request and/or response that ZAP should have raised the problem for.

Reporting problems with active scan rules is a bit more tricky, as ZAP will potentially send several requests to detect a specific problem and we need to know how your application responded to each one.

How often are scan rules updated?

Mon, 01 Jan 0001 00:00:00 +0000

Scan rules are defined in add-ons so they can be updated and published whenever they are improved.

However this may be less frequently than you might expect, and there are good reasons for that.

Some security tools focus on finding known vulnerabilities in known applications. New vulnerabilities are being found all of the time so the rules for these tools need to be frequently updated. These rules are often quite simple, they just need to detect that you are running a specific version of an application that has known vulnerabilities.

Is there any danger when scanning with ZAP against a live website (e.g. create/delete/update/corrupt data)?

Mon, 01 Jan 0001 00:00:00 +0000

Proxying (and therefore passive scanning) requests via ZAP is completely safe and legal, it just allows you to see whats going on.

Spidering is a bit more dangerous. It could cause problems depending on how your application works.

Note that there is an Spider option to not use POST requests - this may be safer but is also likely to reduce the effectiveness of the Spider.

Someone is using ZAP to attack my website - what should I do?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP is a free tool designed to help everyone secure their own websites. Unfortunately this means that other people can use it to attack your website as well.

ZAP is not designed to be a covert tool - it uses various variations of “ZAP” in its attacks, so if someone does use ZAP to attack your site then this should be apparent in your web server logs.

What should I do if ZAP doesn't detect a known problem?

Mon, 01 Jan 0001 00:00:00 +0000

If ZAP fails to detect a known problem then please let us know!

Obviously the more information you can give us the better, and the best option would be a simple one page ‘proof of concept’ in the form of a wavsep test - we can then include those in our regression tests.

Why can ZAP scans be inconsistent?

Mon, 01 Jan 0001 00:00:00 +0000

If you run ZAP multiple times against a target then you may well find that the results are subtly different even though the target has not changed.

This is not unusual, and we do not consider this a significant problem.

In our experience it is usually all down to how the application is explored - the traditional and ajax spiders seem to be sensitive to small changes, including things like network speed.

How can I add an application icon for ZAP to Fedora / Gnome 3?

Mon, 01 Jan 0001 00:00:00 +0000

As root create a file called /usr/share/applications/owasp-zap.desktop containing:

[Desktop Entry]
Name=OWASP ZAP
Exec=/opt/owasp/ZAP_2.8.0/zap.sh
Icon=/opt/owasp/ZAP_2.8.0/zap.ico
Categories=Programming;Security;
Type=Application

Make sure you correct the paths to match your environment!

How can I connect to ZAP remotely?

Mon, 01 Jan 0001 00:00:00 +0000

By default ZAP will now also only allow connections from the local machine. You can set which IP addresses can connect to the API using the command line:

-config api.addrs.addr.name=123.456.789.123

If you are using ZAP in a completely isolated environment you can allow all IP addresses to connect to the ZAP API using:

How can I fix 'browser was not found'?

Mon, 01 Jan 0001 00:00:00 +0000

If you want to manually explore your target app then the easiest way is to launch your favourite browser from ZAP. ZAP will automatically configure it to proxy via ZAP and to ignore the certificate warnings you would otherwise get from the ZAP root CA certificate.

But what can you do if ZAP fails to launch your browser?

How can I use ZAP with a Java application which connects to a web service over SSL?

Mon, 01 Jan 0001 00:00:00 +0000

You’ll need to generate a root CA certificate.

Export it into a file.

Import it in to the JRE cacerts keystore.

Assuming the Java keytool is on the system path, JAVA_HOME is set to the location of a JRE and the ZAP Root CA cert is exported to “~/zap_root_ca.cer”, then the command is:

How can you import POST requests?

Mon, 01 Jan 0001 00:00:00 +0000

GET requests can be easily imported into ZAP using the “Import URLs” option which is included in ZAP by default. However this only supports GET requests.

If you need to import POST requests, or requests using other HTTP methods like PUT and DELETE, then you have a selection of options:

How can you start ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

Again, this depends on the OS:

Windows

There are 3 options on Windows:

Via the desktop icon (assuming you selected this option during installation)
Via the ‘Start’ menu:
- All Programs
  - ZAP
    - Zed Attack Proxy
      - ZAP <version>
Via the ‘zap.bat’ command line script in the installation directory

Linux

On Linux there’s just a ‘zap.sh’ script in the installation directory, although you can create a desktop icon manually as well.

How can ZAP automatically authenticate via forms?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP can handle pretty much any authentication out there.

The best place to start is the Authentication Decision Tree.

How do you add a script to ZAP from the command line?

Mon, 01 Jan 0001 00:00:00 +0000

If you are doing anything non-trivial with ZAP from the command line then you should use the Automation Framework. This has direct support for scripts.

If you cannot use the Automation Framework for any reason then you’ll need to use the following command line options (with the values changed to match your requirements of course;)

How do you configure ZAP logging?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP logs to a file called “zap.log” in the ZAP ‘home’ directory.

The logging is configured by the log4j2.properties file in the same directory.

By default the ‘main’ logging levels are set to info by these lines:

logger.paros.name = org.parosproxy.paros
logger.paros.level = info

logger.zap.name = org.zaproxy.zap
logger.zap.level = info

Changing these to debug (and restarting ZAP) will significantly increase the amount of logging performed:

How do you configure ZAP to test an application on localhost?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP has no problems scanning applications running on localhost, however there are a couple of things you need to be aware of.

By default ZAP listens on port 8080. If your app also listens on 8080 then you’ll need to change one of them to listen on a different port - it’s probably easier to change ZAP using the Options Local Proxies screen, remember to change your browser’s proxy settings as well: Configuring Proxies.

How do you find out what key to use to set a config value on the command line?

Mon, 01 Jan 0001 00:00:00 +0000

If you need to set options via the command line then have a look at the Automation Framework first. This is well documented and has support for all of the most commonly needed configuration parameters.

The ZAP command line allows you to set individual values as follows:

-config api.key=12345 -config network.connection.timeoutInSecs=60

How can you find out what keys to use to set the values you want?

How to connect to an HTTPS site that reports a handshake failure?

Mon, 01 Jan 0001 00:00:00 +0000

First of all try checking the ‘Enable unsafe SSL/TLS renegotiation’ checkbox in the Certificate Options screen and trying again.

Second check if you’ve enabled SSLv2Hello in the outbound connection options. If so, disable SSLv2Hello and reload the content to see if the issue is resolved.

If this doesn’t help and an HTTPS site reports a handshake failure then try installing the ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’:

What options exist for selective proxying?

Mon, 01 Jan 0001 00:00:00 +0000

There are a number of ways to accomplish selective proxying.

1 - Via a Browser Add-on/Extension

Such as FoxyProxy: https://getfoxyproxy.org/

2 - Via Global Exclusions

Leveraging Global Exclusions you can specify URLs that ZAP should not intercept.

3 - Via a PAC (Proxy Auto-Config) File

You can create your own PAC (Proxy Auto-Config) file and dynamically set proxying as you need, then point your browser at it on your harddrive using the file:/// scheme. For example:

function FindProxyForURL(url, host) {
    if (shExpMatch(host, "*.example.org")) {
        return "PROXY localhost:8080"; //Use ZAP for *.example.org
    }
    // Go directly to the WWW for everything else
    return "DIRECT";
}

Why can't ZAP connect to my web application?

Mon, 01 Jan 0001 00:00:00 +0000

This is usually not a ZAP problem.

Is your web application actually running?

Can you connect to it using the IP address rather than the FQDN or hostname?

Can you connect to your application from the same machine using another tool like curl?

If you are using one of the ZAP Docker images then be aware that using Docker will change the networking. In this case make sure that you run curl from the Docker image, e.g. using a command like:

Can ZAP be used to test mobile apps?

Mon, 01 Jan 0001 00:00:00 +0000

Yes, see this video from ZAPCon 2021:

These videos from @SecureCloudDev:

And these articles:

Intercepting Android traffic using OWASP ZAP - TheZero blog
Four Ways to Bypass Android SSL Verification and Certificate Pinning - NetSPI Blog
Debugging iOS apps with Zaproxy - Omer Levi Hevroni’s blog - Via The Way Back Machine

Can ZAP be used to test my favorite framework or technology?

Mon, 01 Jan 0001 00:00:00 +0000

If you have questions about using ZAP to test your app or site based on a specific framework or technology, please ask in the User Group.

Can ZAP be used to test my favorite vulnerable app?

Mon, 01 Jan 0001 00:00:00 +0000

We have a new section of the site focused on how to set up ZAP to scan a variety of test vulnerable web apps: ZAP Vs Test Apps.

The following pages will be updated and moved to that section in time.

Can ZAP be used to test Windows 8 Metro apps?

Mon, 01 Jan 0001 00:00:00 +0000

Yes, and there’s an excellent description of how to do that written by Bill Sempf: https://www.sempf.net/post/Pentesting-Windows-8-Metro-Apps-with-Zed-Attack-Proxy

Fonts in ZAP look bad on my system - what should I do?

Mon, 01 Jan 0001 00:00:00 +0000

This seems to come up on various Linux distros from time to time. For example: https://github.com/zaproxy/zaproxy/issues/3051

The following suggestions may let you work past the issue.

Try starting ZAP from the command line instead of starting it from a shortcut (such as a Plasma/KDE button, dock icon, etc.)
Try adding the following to /etc/environment:

_JAVA_OPTIONS='-Dawt.useSystemAAFontSettings=on'

How can I run ZAP with a high DPI display?

Mon, 01 Jan 0001 00:00:00 +0000

If ZAP is displayed in a really tiny window then it’s probably because you have a high DPI display.

We believe High DPI displays and ZAP should behave properly with Windows and Java 11+.

If you’re using Windows and encounter an issue then you can set the compatibility settings:

How can I use the ZAP API in my own regression tests?

Mon, 01 Jan 0001 00:00:00 +0000

You can use ZAP to perform security regression tests on your own products.

Note that this answer is very basic and WILL need to be improved ;)

You need to have installed Java and ZAP.

To launch ZAP from a Java program you can do something like:

ProcessBuilder pb = new ProcessBuilder("/home/myuser/fullpath/ZAP 2.9.0/zap.sh");  // full path to script, use zap.bat on Windows
pb.directory(new File("/home/myuser/fullpath/ZAP 2.9.0/"));  // directory where the script is in
Process p = pb.start();

Note that this will bring up the full UI, which is useful for initial testing. To launch it in the background pass “-daemon” as an argument to the script. Obviously there will be equivalents in other languages - you just need to run the relevant script (zap.sh or zap.bat) with the working directory set up to the location of that script.

How can you easily maximize a tab?

Mon, 01 Jan 0001 00:00:00 +0000

You can maximise any tab in ZAP by double clicking on it - that tab will now take up all of the ZAP window.

To see the other sets of tabs double click any of the tabs again.

How can you use ZAP to scan APIs?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP understands API formats like JSON and XML and so can be used to scan APIs.

The problem is usually how to effectively explore the APIs.

There are various options:

If your API has an OpenAPI/Swagger definition then you can import it using the OpenAPI add-on.
If your API uses GraphQL then you can explore it using the GraphQL add-on.
If your API has a WSDL then you can import it using the SOAP add-on.
If you have a list of endpoint URLs then you can import these using the Import files containing URLs add-on.
If you have regression tests for you API then you can proxy these through ZAP

The add-ons are available from the ZAP Marketplace.

How can ZAP test sites that use certificate pinning?

Mon, 01 Jan 0001 00:00:00 +0000

Certificate pinning also known as Public Key Pinning “is a mechanism for sites to specify which certificate authorities have issued valid certs for that site, and for user-agents to reject TLS connections to those sites if the certificate is not issued by a known-good CA.”

Sites that use certificate pinning will typically not be loaded in your browser if you are proxying it through ZAP.

How do I see what version of an add-on/extension I have installed?

Mon, 01 Jan 0001 00:00:00 +0000

There are three ways to do this:

1 - Via the Marketplace

Click the Marketplace button in the main toolbar:
The Installed tab now displays a column including the current version. This adds clarity if/when an update is available as the bottom panel displays the details for the update:

From the Help menu select “Support Info…”
Copy the entire contents or find the specific add-on you’re interested in.

3 - Via the CLI

zap.bat -suppinfo or zap.sh -suppinfo will produce output similar to:

OWASP ZAP
Version: 2.8.0
Installed Add-ons: [[id=alertFilters, version=8.0.0], [id=ascanrules, version=33.0.0], [id=bruteforce, version=8.0.0]
...snip...
[id=tips, version=6.0.0], [id=webdriverwindows, version=10.0.0], [id=websocket, version=19.0.0], [id=zest, version=29.0.0]]
Operating System: Windows 7
Java Version: Oracle Corporation 1.8.0_191
System's Locale: en_CA
Display Locale: en_GB
Format Locale: en_GB
ZAP Home Directory: C:\Users\someone\OWASP ZAP\
ZAP Installation Directory: C:\Program Files\OWASP\Zed Attack Proxy\.\
Look and Feel: Metal (javax.swing.plaf.metal.MetalLookAndFeel)

Setting up ZAP to Test Damn Vulnerable Web App (DVWA)

Mon, 01 Jan 0001 00:00:00 +0000

Following the steps used to spider/scan DVWA.

This was tested with

DVWA 2.3
ZAP 2.15.0

To set up DVWA follow the instructions on https://github.com/digininja/DVWA

In this case the following commands were used, but you should check to see if anything has changed:

git clone https://github.com/digininja/DVWA.git
cd DVWA
docker compose up -d

To run a full authenticated scan against DVWA download and import the Automation Framework plan:

Setting up ZAP to Test OWASP Pixi

Mon, 01 Jan 0001 00:00:00 +0000

Notes:

This FAQ is a work in progress as of 2018-June-1
This FAQ contains spoilers: <details> tags have been used to make them expandable and not immediately visible (which should work in most modern browsers).
These instructions assume you’ve created a user: test@example.com with password: testExample (via http://localhost:8000/register).

The following the steps are based on spider/scan of Pixi at http://localhost:8000/ using ZAP 2.7.0.

Setting up ZAP to Test Vaadin Apps

Mon, 01 Jan 0001 00:00:00 +0000

The information in this FAQ is based on details from: This user group thread

The Vaadin framework makes heavy use of JavaScript, so it seems the Ajax Spider is the way to go.

As you work to figure things out and get them configured correctly it makes sense to starting by proxying your browser through ZAP, identifying the http session and then flagging it as the ‘active session’ before starting the Ajax Spider.

What causes: Exception in thread 'AWT-EventQueue-0' when loading ZAP on Docked Mac OSX?

Mon, 01 Jan 0001 00:00:00 +0000

As discussed in https://github.com/zaproxy/zaproxy/issues/5469, this issue seems to occur when laptops are docked. (The work around is to un-dock your system.)

This is the same as https://github.com/oracle/visualvm/issues/84 which links to https://bugs.openjdk.java.net/browse/JDK-8223158

This issue is unfortunately outside the control of the ZAP team.

What is ZAP's assurance case?

Mon, 01 Jan 0001 00:00:00 +0000

Basic Threat Model & Trust Boundaries

ZAP is a Java application which is meant to be used primarily in Single user and CI/CD deployment models. As such protection of ZAP and its associated/generated data is outside the scope of ZAP’s sphere of influence (ex: if a system which houses ZAP can be physically stolen, then all the data on the system is at risk).

What operating systems are supported?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP should run on all operating systems that support Java 17 - it can even run on a Raspberry Pi!

If you experience any problems running ZAP then please report them to us.

What vulnerability classifications are supported?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP includes the following classifications for all of the vulnerabilities it finds wherever possible:

Why am I getting blank ZAP windows on Linux?

Mon, 01 Jan 0001 00:00:00 +0000

Java has problems with ’non standard’ window managers.

If you have changed from one of the main window managers and are seeing blank windows when you use ZAP then see https://wiki.haskell.org/Xmonad/Frequently_asked_questions#Problems_with_Java_applications.2C_Applet_java_console for potential solutions.

Why are there missing History IDs?

Mon, 01 Jan 0001 00:00:00 +0000

When you proxy via ZAP you will often see that some of the Ids in the History tab are ‘missing’, e.g. it will jump from 1 to 4 etc.

The missing Ids do not refer to ‘hidden’ requests that ZAP is making.

Instead those requests (which are not sent at all) are generated by ZAP for “internal” use only. They are used to show a “GET” request when “directory” nodes of the “Sites” tab, not yet (manually) accessed, are selected.

Why has the Quick Scan Attack reported an invalid URL?

Mon, 01 Jan 0001 00:00:00 +0000

If the Quick Start Attack fails with the message:

Failed to attack the URL, please check that the URL is valid

then the first thing to do is check your URL in a browser.

If it works ok then open the ZAP Manual Request Editor, replace the default URL with the one you are trying and send the request.

Why is an API key required by default?

Mon, 01 Jan 0001 00:00:00 +0000

Since version 2.4.1 ZAP has required an API key by default in order to invoke API operations that make changes to ZAP. Since version 2.6.0 an API key is required by default in order to invoke any of the API operations. This is a security feature to prevent malicious sites from invoking the ZAP API. ZAP version 2.6.0 also introduced additional security options. All of the API security options, including the API key, can be found in the API Options screen.

How Can I set Variables in the Automation Framework?

Mon, 01 Jan 0001 00:00:00 +0000

The Automation Framework supports variables, which includes environment variables. You can use these to set values referenced in your plan from the command line, including secrets such as credentials.

To see this in action download the ScriptEnvVarAccess.yaml plan and store it in your current working directory.

Edit the script and change PATH to MyVar.

What is the Best Way to Automate ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

For most use cases, the best way to automate ZAP is using the Automation Framework.

For a comparison of the different automation options see Automation Options.

Frequently Asked Questions on ZAP

Somethings not working. What should I do?

Check for Updates

Does ZAP offer community services?

Be Aware

How do I get a specific feature implemented in ZAP?

How do I use Chrome with ZAP in Docker?

What 'calls home' does ZAP make?

Check for Updates

What are the command line options?

What data does ZAP collect?

A.K.A. ZAP Privacy Statement

The ZAP Tool

What does ZAP test for?

What is the default directory that ZAP uses?

What versions of Java are supported?

Where can I ask ZAP related questions?

User Guide

User Group

Where does ZAP put its logs?

Where is ZAP installed?

Windows 7 / 8 / 10

Why does my Antivirus Tool Flag ZAP?

ZAP Downloads

Why does ZAP Access Out of Scope Domains?

Why don't you rewrite ZAP in ?

Why is ZAP not available in my language?

How can I add my own payloads to active scan rules?

How can I prevent ZAP from sending me 1000s of emails via a 'Contact Us' form?

How can you speed up scans?

How do I handle a False Positive?

How do I report a False Negative?

How often are scan rules updated?

Is there any danger when scanning with ZAP against a live website (e.g. create/delete/update/corrupt data)?

Someone is using ZAP to attack my website - what should I do?

What should I do if ZAP doesn't detect a known problem?

Why can ZAP scans be inconsistent?

How can I add an application icon for ZAP to Fedora / Gnome 3?

How can I connect to ZAP remotely?

How can I fix 'browser was not found'?

How can I use ZAP with a Java application which connects to a web service over SSL?

How can you import POST requests?

How can you start ZAP?

Windows

Linux

How can ZAP automatically authenticate via forms?

How do you add a script to ZAP from the command line?

How do you configure ZAP logging?

How do you configure ZAP to test an application on localhost?

How do you find out what key to use to set a config value on the command line?

How to connect to an HTTPS site that reports a handshake failure?

What options exist for selective proxying?

1 - Via a Browser Add-on/Extension

2 - Via Global Exclusions

3 - Via a PAC (Proxy Auto-Config) File

Why can't ZAP connect to my web application?

Can ZAP be used to test mobile apps?

Can ZAP be used to test my favorite framework or technology?

Can ZAP be used to test my favorite vulnerable app?

Can ZAP be used to test Windows 8 Metro apps?

Fonts in ZAP look bad on my system - what should I do?

How can I run ZAP with a high DPI display?

How can I use the ZAP API in my own regression tests?

How can you easily maximize a tab?

How can you use ZAP to scan APIs?

How can ZAP test sites that use certificate pinning?

How do I see what version of an add-on/extension I have installed?

1 - Via the Marketplace

2 - Via the Help Menu

3 - Via the CLI

Setting up ZAP to Test Damn Vulnerable Web App (DVWA)

Setting up ZAP to Test OWASP Pixi

Setting up ZAP to Test Vaadin Apps

What causes: Exception in thread 'AWT-EventQueue-0' when loading ZAP on Docked Mac OSX?

What is ZAP's assurance case?

Basic Threat Model & Trust Boundaries

What operating systems are supported?

What vulnerability classifications are supported?

Why am I getting blank ZAP windows on Linux?

Why are there missing History IDs?