OWASP ZAP Developer Group

1–30 of 1890

Welcome to the OWASP Zed Attack Proxy (ZAP) Development Group.
Please use this group for any questions about developing, fixing or extending ZAP.
And if you post spam then it will be deleted and your account blocked.

0 selected

david foley, … Neil McAlister11

5:50 AM

OWASP Zap Github Action

Thanks Simon - I've re-written my pipeline now to stop using the AZDO task from a third party -

unread,

OWASP Zap Github Action

Thanks Simon - I've re-written my pipeline now to stop using the AZDO task from a third party -

5:50 AM

Ayushi G, kingthorin+owaspzap2

Oct 17

x-frame-options and x-content-type-options

Configure your infrastructure to properly set the headers. On Sunday, October 17, 2021 at 8:30:15 AM

unread,

x-frame-options and x-content-type-options

Configure your infrastructure to properly set the headers. On Sunday, October 17, 2021 at 8:30:15 AM

Oct 17

panda, kingthorin+owaspzap2

Oct 16

Access SSL certificate of target, via scripts

You could look at enhancing the HttpsInfo add-on? On Saturday, October 16, 2021 at 12:06:56 PM UTC-4

unread,

Access SSL certificate of target, via scripts

You could look at enhancing the HttpsInfo add-on? On Saturday, October 16, 2021 at 12:06:56 PM UTC-4

Oct 16

Varun K, psiinon4

Oct 11

[Looking for feedback] Zap As A Service

Hi Simon, Thanks for the feedback! Yes, I am thinking of open sourcing it. I have a working solution

unread,

[Looking for feedback] Zap As A Service

Hi Simon, Thanks for the feedback! Yes, I am thinking of open sourcing it. I have a working solution

Oct 11

Oct 7

ZAP 2.11.0 has been released!

For more details see the blog post: https://www.zaproxy.org/blog/2021-10-07-zap-2-11-0/ Thank you to

unread,

ZAP 2.11.0 has been released!

For more details see the blog post: https://www.zaproxy.org/blog/2021-10-07-zap-2-11-0/ Thank you to

Oct 7

Sep 29

ZAP 2.11.0 Release Candidate

The latest ZAP Weekly release is the 2.11.0 Release Candidate. You can download it from https://www.

unread,

ZAP 2.11.0 Release Candidate

The latest ZAP Weekly release is the 2.11.0 Release Candidate. You can download it from https://www.

Sep 29

Sep 28

OWASP Top Ten mappings - help appreciated

As a last min change to ZAP 2.11.0 we are looking to map the ZAP alerts to the OWASP Top Ten 2017 and

unread,

OWASP Top Ten mappings - help appreciated

As a last min change to ZAP 2.11.0 we are looking to map the ZAP alerts to the OWASP Top Ten 2017 and

Sep 28

Federica, … kingthorin+owaspzap10

Sep 27

Create new OWASP ZAP Exstension

https://www.zaproxy.org/search/?q=hacking+zap On Monday, September 27, 2021 at 4:27:57 PM UTC-4

unread,

Create new OWASP ZAP Exstension

https://www.zaproxy.org/search/?q=hacking+zap On Monday, September 27, 2021 at 4:27:57 PM UTC-4

Sep 27

psiinon, patel harshil4

Sep 27

ZAP 2.11.0 Coming Soon!

Hopefully yes. As far as I'm aware they are not available yet, but when they are I will post

unread,

ZAP 2.11.0 Coming Soon!

Hopefully yes. As far as I'm aware they are not available yet, but when they are I will post

Sep 27

Marian Tîrlea, psiinon3

Sep 16

Customization of html report

And if you or anyone else fancies helping us by creating better reports, just a reminder that the

unread,

Customization of html report

And if you or anyone else fancies helping us by creating better reports, just a reminder that the

Sep 16

Jun Yin, kingthorin+owaspzap2

Sep 15

Is it possible to SQL inject JS files?

If you want to understand specifically what ZAP's doing you can review the code of the scan rules

unread,

Is it possible to SQL inject JS files?

If you want to understand specifically what ZAP's doing you can review the code of the scan rules

Sep 15

Venkata Subrahmanyam, … kingthorin+owaspzap6

Sep 15

Raising new 3rd party JS alert

There are lots of examples of Passive Scan Script Rules here if you need ideas: https://github.com/

unread,

Raising new 3rd party JS alert

There are lots of examples of Passive Scan Script Rules here if you need ideas: https://github.com/

Sep 15

Sep 14

POST Request Inject Null and System paths

Hi Team, When i ran ZAP at attack mode we observe it triggered multiple post api with the different

unread,

POST Request Inject Null and System paths

Hi Team, When i ran ZAP at attack mode we observe it triggered multiple post api with the different

Sep 14

Sep 14

What is the principle of zap to judge SQL injection? (zap判断SQL注入的原理是什么？)

My website will use PHP's built-in function intval() to force type conversion when passing

unread,

What is the principle of zap to judge SQL injection? (zap判断SQL注入的原理是什么？)

My website will use PHP's built-in function intval() to force type conversion when passing

Sep 14

Mirza Oglecevac, psiinon2

Sep 13

Anti CSRF token

First of all - if you can easily disable CSRF protection in your app then why not do so, just when

unread,

Anti CSRF token

First of all - if you can easily disable CSRF protection in your app then why not do so, just when

Sep 13

psiinon, Harish Nair2

Sep 5

Re: How to pass location of local openapi file to zap

I have seen issues when using shared directories in virtualbox. As long as it is in local file system

unread,

Re: How to pass location of local openapi file to zap

I have seen issues when using shared directories in virtualbox. As long as it is in local file system

Sep 5

patel harshil, psiinon2

Sep 2

Question regarding creating an add-on.

Hiya, OK, what you're trying to do is non trivial .. but should still definitely be possible. I

unread,

Question regarding creating an add-on.

Hiya, OK, what you're trying to do is non trivial .. but should still definitely be possible. I

Sep 2

Karthik U J, … psiinon4

Aug 31

Regarding documentation of Zapproxy scripting object and methods

Okay, I am trying to do this is JavaScript instead, it is proving to be better. Thank you all. On

unread,

Regarding documentation of Zapproxy scripting object and methods

Okay, I am trying to do this is JavaScript instead, it is proving to be better. Thank you all. On

Aug 31

Bhoj Raj Joshi, psiinon8

Aug 28

script based authentication - How to automate

Hiya Bhoj, The ZAP website is in a public repo so you can just submit a PR to that: https://github.

unread,

script based authentication - How to automate

Hiya Bhoj, The ZAP website is in a public repo so you can just submit a PR to that: https://github.

Aug 28

Aug 26

ZAP Internal Statistics

ZAP also has an internal event bus. And yes, we now have a new page which lists all of the events as

unread,

ZAP Internal Statistics

ZAP also has an internal event bus. And yes, we now have a new page which lists all of the events as

Aug 26

Ricardo Estalder, … kingthorin+owaspzap3

Aug 25

ZAP alert categorization in owasp top 10 vulnerabilities

This guide doc might be of interest, related to this topic: https://www.zaproxy.org/docs/guides/

unread,

ZAP alert categorization in owasp top 10 vulnerabilities

This guide doc might be of interest, related to this topic: https://www.zaproxy.org/docs/guides/

Aug 25

Aug 25

ZAP GSoC 2021 Projects - OAST and Retest

Google summer of Code 2021 has now finished. We had 2 projects both of which have resulted in new add

unread,

ZAP GSoC 2021 Projects - OAST and Retest

Google summer of Code 2021 has now finished. We had 2 projects both of which have resulted in new add

Aug 25

Felipe França, kingthorin+owaspzap3

Aug 20

Inject cookie in the header in api scan

So, I want to run the API scan in the command line with these methods, how I can use it? have you any

unread,

Inject cookie in the header in api scan

So, I want to run the API scan in the command line with these methods, how I can use it? have you any

Aug 20

Felipe França, kingthorin+owaspzap3

Aug 18

Problems to get Swagger URLs

Sure, thanks, I'll contact with them. Em quarta-feira, 18 de agosto de 2021 às 13:15:03 UTC-3,

unread,

Problems to get Swagger URLs

Sure, thanks, I'll contact with them. Em quarta-feira, 18 de agosto de 2021 às 13:15:03 UTC-3,

Aug 18

psiinon, … kingthorin+owaspzap3

Aug 12

Mapping issues to OWASP Top 10

There's also probably not much sense in mapping anything older than 2017 (Top 10 wise) On

unread,

Mapping issues to OWASP Top 10

There's also probably not much sense in mapping anything older than 2017 (Top 10 wise) On

Aug 12

Christopher Williams, kingthorin+owaspzap2

Aug 12

client certificate in plain text (any way to obfuscate it)

That's up to your setup, if you can handle it via an env var or key vault interaction. On

unread,

client certificate in plain text (any way to obfuscate it)

That's up to your setup, if you can handle it via an env var or key vault interaction. On

Aug 12

Aug 12

ajaxscan can't scan urls

but,when i use selenium+firefox or phantomjs in python codes, i can load the page correctly, this can

unread,

ajaxscan can't scan urls

but,when i use selenium+firefox or phantomjs in python codes, i can load the page correctly, this can

Aug 12

Praveen Kumar, kingthorin+owaspzap4

Aug 10

Owasp Zap cannot able to capture transactions via remote dirver (Firefox)

Probably also need to empty the 'no proxy for' list. You can see all the options we set for

unread,

Owasp Zap cannot able to capture transactions via remote dirver (Firefox)

Probably also need to empty the 'no proxy for' list. You can see all the options we set for

Aug 10

Bhoj Raj Joshi, psiinon3

Aug 10

ZAP Docker takes longer to finish API scan with "-c" option

While looking through the logs, I get below two errors, one at the ZAP initialization (common error

unread,

ZAP Docker takes longer to finish API scan with "-c" option

While looking through the logs, I get below two errors, one at the ZAP initialization (common error

Aug 10

Bhoj Raj Joshi, … thc...@gmail.com5

Aug 6

How to set Protected mode in ZAP docker?

That's it! Thank you :) On Friday, 6 August, 2021 at 4:40:59 pm UTC+5:30 thc202 wrote: Start the

unread,

How to set Protected mode in ZAP docker?

That's it! Thank you :) On Friday, 6 August, 2021 at 4:40:59 pm UTC+5:30 thc202 wrote: Start the

Aug 6

Search

Clear search

Close search

Google apps

Main menu