zap

问题 I need to scan some APIs that only available on HTTP protocol. Let's say I'm testing http://example.com, I did follow commands export http_proxy=localhost:8080 export https_proxy=localhost:8080 curl http://example.com <html><body>Redirecting to https://example.com/</body></html> http://example.com is accessible however ZAP proxy always gives me a 302 Redirect response. And in the GUI, there is nothing captured by ZAP. Capturing HTTPS APIs is working well, but how can I make it work for HTTP?

来源： https://stackoverflow.com/questions/62308493/asp-net-mvc-5-azure-app-zap-scan-indicates-proxy-disclosure-vulnerability-how

来源： https://stackoverflow.com/questions/50349729/unable-to-perform-zap-spider-scan-using-zap-java-api

来源： https://stackoverflow.com/questions/50349729/unable-to-perform-zap-spider-scan-using-zap-java-api

问题 I followed example from : https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html install Docker on my Mac executed docker pull owasp/zap2docker-weekly executed example: docker run -t owasp/zap2docker-weekly zap-api-scan.py -t \ https://www.example.com/openapi.json -f openapi it works executed my command to scan my API : docker run -v /etc/hosts:/etc/hosts -v $(pwd):/zap/wrk:rw -t owasp/zap2docker-weekly zap-api-scan.py -t myapitest.json -f openapi And I got: Unable to find image 'in

问题 I have configured ZAP 2.6 so that it is acting as a proxy for requests from an Android app to a web service over HTTPS. The authentication mechanism is OAuth 2, and so in my login response I get an access token which is then sent in all subsequent request headers as follows Authorization: Bearer my_long_and_encoded_access_token Is it possible to get ZAP to recognise this token and use it in tests initiated from the ZAP UI? I have looked at Automate OAuth access token for Zed Attack Proxy

问题 OWASP ZAP reported “alert(1);” XSS vulnerability, but we could not get pop up in browser. Is this just a false positive? The HTML surrounding the injected attack is: <script type="text/javascript"> DataSet.FilterBuilder.QueryValuesDictionary['57_ctl00'] = ;alert(1);; </script> 来源： https://stackoverflow.com/questions/29223275/owasp-zap-reported-alert1-xss-vulnerability-but-no-popup-showed-up

问题 Trying to set proxy (to OWASP ZAP Proxy port) in Cucumber via property, but to no available. cucumber.xml <beans profile="firefoxRemote"> <bean name="capability" init-method="firefox" class="org.openqa.selenium.remote.DesiredCapabilities"> <property name="browserName" value="firefox"/> <property name="version" value="42.0"/> <property name="PROXY" value="127.0.0.1:8090"/> </bean> I can also set it in CucumberRunner, but don't know how. @RunWith(Cucumber.class) @CucumberOptions( features = {

问题 Is there any way to create a scan policy for passive scans? I know you can create and modify scan policies for the active/attack scanning, but i'm wondering if you can do the same for the passive scan rules or if you have to individually modify them on every machine? 回答1: There's an existing ticket open to unify Active/Passive Scan handling in a singular policy type interface: https://github.com/zaproxy/zaproxy/issues/3870. If you're really interested in that you could support it on

问题 How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem. 回答1: Quite old question but here it goes. The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to: Options -> Advanced -> Network -> Settings. Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port. You can check and configure ZAP port