Access Control Testing not working
59 views
Skip to first unread message
浩宇
Oct 9, 2025, 3:03:23 AMOct 9
to ZAP User Group
Access Control Testing not working
I used the Pikachu Shooting Range Level Permission Override vulnerability to verify ZAP's Access Control Testing, but no matter how I configured it, the alarm IDs 10101 and 10102 could not be triggered. Why is this
浩宇
Oct 9, 2025, 4:16:24 AMOct 9
to ZAP User Group
看不到图片呢
浩宇
Oct 9, 2025, 4:24:21 AMOct 9
to ZAP User Group
I set up the context, policy, multiple accounts, etc., but I can't find the ID10101 and 10102 vulnerabilities.
Simon Bennetts
Oct 13, 2025, 9:15:28 AMOct 13
to ZAP User Group
It will either be a bug or a misconfiguration.
This is an alpha rule which has not had any significant update since 2015, so it may have broken at some point.
Access control testing is something that we would love to get back to and improve, but right now its not something that I'm likely to be able to find time to look into.
If you do decide to try to debug it then we would be very interested in what you find :)
Cheers,
Simon
Haoy
Oct 14, 2025, 5:31:28 AMOct 14
to ZAP User Group
What is its detection logic? For 2 users, is it detecting the status code of the end user's request or the content of the response?
kingthorin+zap
Oct 14, 2025, 8:40:40 AMOct 14
to ZAP User Group
Simon Bennetts
Oct 15, 2025, 4:25:57 AMOct 15
to ZAP User Group
Pro tip - as ZAP is open source you can ask your favorite LLM questions like this, just make sure you also ask for the location of the code and double check any answers it gives you.
For example, try asking ChatGPT: "What detection logic does the ZAP Access Control add-on use for finding issues?"
Cheers,
Simon
kingthorin+zap
Oct 16, 2025, 8:35:03 AMOct 16
to ZAP User Group
At the same time, keep in mind that we've also seen lots of LLMs hallucinating when asked to create ZAP scripts, etc. So be diligent 😁
Reply all
Reply to author
Forward
0 new messages