zap | 易学教程

how to solve OWASP ZAP reported “alert(1);” XSS vulnerability

阅读更多关于 how to solve OWASP ZAP reported “alert(1);” XSS vulnerability

问题 After running OWASP ZAP scanning tool against our application, we see a number of XSS vulnerabilities when the tool attacked with this string: " onMouseOver="alert(1); or ;alert(1) So such strings will appear in the server response. Though it doesn't do anything in the browser. Maybe it's trying to insert additional attributes to Html tags, but how to solve the problem? 回答1: If you can post the html surrounding the injected attack then that might be enough. If you select the alert in ZAP then

How to create HTML report for zap(Owasp) using Python API script which integrates with Jenkins

阅读更多关于 How to create HTML report for zap(Owasp) using Python API script which integrates with Jenkins

问题 I have trigger zap with Python API as below:- Script source:- https://github.com/zaproxy/zaproxy/wiki/ApiPython I want an HTML report generated via command line. I am trying to integrate same with Jenkins. I have found few plug-ins of Owasp in Jenkins but doesn't seem to work as expected. Any idea, link, tutorials will really help me. 回答1: At this URL/API ( http://ZAP-IP:PORT/UI/core/other/htmlreport/) user can get the report. I havn't found any zap support plug-in so I have wrote selenium

Automate OAuth access token for Zed Attack Proxy Scans

阅读更多关于 Automate OAuth access token for Zed Attack Proxy Scans

问题 I want to run security scans for few REST APIs. These APIs use OAuth and are divided into two sets each using different Grant Type. I want to run security scan using ZAP tool and I am not able to automate the process of getting OAuth Token used by the requests. I am using SoapUI to record the APIs in ZAP which works very fine. But when the token expires, I have to re-record or edit token manually after retrieving it using SoapUI or PostMan. A kind request to provide steps in little bit detail

Basic Authorization in OWASP ZAP

阅读更多关于 Basic Authorization in OWASP ZAP

问题 I need to attack endpoints via OWASP ZAP tool (got 2.5.0 version). I tested endpoints via Postman. I`ve got Authorization with Type: Basic Auth, Username:exampleUserName, Password: examplePass. Please could you give me any hints, how to set up Basic Auth in OWASP ZAP please? I set up User for my Context. What esle is needed? Found solution: 1) Control Panel -> Internet Options -> Connections ->LAN Settings -> check "Use a proxy for etc." -> click OK 2) Send request via Postman with Basic Auth

How to prevent XSS for the form action URL?

阅读更多关于 How to prevent XSS for the form action URL?

问题 We use Shibboleth's SingleSingOut(SSO) to do the authentication.Shibboleth is an open-source project which has been integrated into our project. Shibboleth will do the redirect to login.jsp page, if the user has not been authenticated.Now we have customized login.jsp page to support localization. So, the form actionUrl has to be sent by the Shibboleth IDP(Identity Provider) to perform the authentication. Here is the below sample code which the Shibboleth has provided: <% if(request

Configure Zap Attack as a system wide proxy

阅读更多关于 Configure Zap Attack as a system wide proxy

问题 I need a simple way to intercept all HTTP requests from client Linux machine (Mint, Ubuntu, OpenSuse). I am using ZAP Attack Proxy. Configuring web browsers and client applications individually to use ZAP Attack as a proxy is not an option for me. Preferably it must capture all requests in a Fiddler-like manner, with no or minimum configuration. How do I configure ZAP attack as a system-wide proxy? 回答1: Cant you set ZAP as a proxy in the global network settings? That works for me on Fedora, I

Configure Zap Attack as a system wide proxy

阅读更多关于 Configure Zap Attack as a system wide proxy

I need a simple way to intercept all HTTP requests from client Linux machine (Mint, Ubuntu, OpenSuse). I am using ZAP Attack Proxy. Configuring web browsers and client applications individually to use ZAP Attack as a proxy is not an option for me. Preferably it must capture all requests in a Fiddler-like manner, with no or minimum configuration. How do I configure ZAP attack as a system-wide proxy? Simon Bennetts Cant you set ZAP as a proxy in the global network settings? That works for me on Fedora, I'm afraid I dont have a Mint/Ubuntu/OpenSuse system to try out, but this post implies its the

Export/Import OWASP ZAP Passive Scan Rules

阅读更多关于 Export/Import OWASP ZAP Passive Scan Rules

Is there any way to create a scan policy for passive scans? I know you can create and modify scan policies for the active/attack scanning, but i'm wondering if you can do the same for the passive scan rules or if you have to individually modify them on every machine? There's an existing ticket open to unify Active/Passive Scan handling in a singular policy type interface: https://github.com/zaproxy/zaproxy/issues/3870 . If you're really interested in that you could support it on BountySource ( https://www.bountysource.com/issues/49047644-improved-active-passive-rules-management ) and see if

Adding authentication in ZAP tool to attack a URL

阅读更多关于 Adding authentication in ZAP tool to attack a URL

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem. Quite old question but here it goes. The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to: Options -> Advanced -> Network -> Settings. Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port. You can check and configure ZAP port opening ZAP and accessing: Tools -> Options -> Local Proxy. Then open your web browser and login to your