OWASP ZAP Cheat Sheet¶
Überblick¶
OWASP ZAP (Zed Attack Proxy) ist eines der weltweit beliebtesten kostenlosen Sicherheitstools und wird aktiv von Hunderten von internationalen Freiwilligen gepflegt. ZAP ist ein umfassender Web Application Security Scanner, der Entwicklern und Sicherheitsexperten hilft, Sicherheitslücken in Webanwendungen während Entwicklungs- und Testphasen automatisch zu finden. Entwickelt durch das Open Web Application Security Project (OWASP) bietet ZAP sowohl automatisierte Scan-Funktionen als auch manuelle Testwerkzeuge, wodurch es sowohl für Sicherheits- als auch für erfahrene Penetrationstester geeignet ist.
Die Kernstärke von OWASP ZAP liegt in seiner abfangenden Proxy-Funktionalität, die es Sicherheitsexperten ermöglicht, HTTP/HTTPS-Verkehr zwischen Webbrowsern und Anwendungen in Echtzeit zu erfassen, zu überprüfen und zu modifizieren. Diese Man-in-the-middle-Fähigkeit ermöglicht umfassende Sicherheitstests, indem sie Sichtbarkeit in alle Client-Server-Kommunikationen, einschließlich AJAX-Anfragen, WebSocket-Verbindungen und API-Anrufe, bietet. Der automatisierte Scanner von ZAP kann eine breite Palette von Sicherheitslücken erkennen, einschließlich SQL-Injektion, Cross-Site-Skripting (XSS), Cross-Site-Anforderungsfälschung (CSRF), Verzeichnis-Traversal und viele andere OWASP Top 10 Schwachstellen, während seine passiven Scanfähigkeiten den Verkehr für Sicherheitsprobleme kontinuierlich überwachen, ohne die Anwendung aktiv anzugreifen.
ZAPs umfangreiches Feature-Set umfasst erweiterte Spinning-Fähigkeiten für umfassende Anwendungs-Erkennung, Fuzzing-Tools für Eingabe-Validierungstests und eine leistungsstarke Skripting-Engine, die mehrere Programmiersprachen für individuelle Sicherheitstests unterstützt. Die Plattform bietet sowohl Desktop-GUI- als auch Befehlszeilenschnittstellen, sodass sie für interaktive Tests und automatisierte CI/CD-Integration geeignet sind. Mit seiner umfassenden API, umfangreichem Plugin-Ökosystem und aktiver Community-Support bietet OWASP ZAP Sicherheitstests für Unternehmen in Unternehmensqualität, während es völlig frei und offen bleibt, so dass es ein wesentliches Werkzeug für Organisationen, die DevSecOps-Praktiken und sicherheitserste Entwicklungsmethoden implementieren.
Installation¶
Ubuntu/Debian Installation¶
Installation von OWASP ZAP auf Ubuntu/Debian Systemen:
```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install Java (required for ZAP)¶
sudo apt install -y openjdk-11-jdk
Verify Java installation¶
java -version
Download and install ZAP¶
wget https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_unix.sh chmod +x ZAP_2_14_0_unix.sh sudo ./ZAP_2_14_0_unix.sh
Alternative: Install via Snap¶
sudo snap install zaproxy --classic
Alternative: Install via APT (may be older version)¶
sudo apt install -y zaproxy
Install ZAP daemon for headless operation¶
sudo apt install -y zaproxy-daemon
Verify installation¶
zap.sh -version
Install additional dependencies¶
sudo apt install -y firefox-esr xvfb
Create desktop shortcut¶
cat > ~/Desktop/OWASP-ZAP.desktop ``<< 'EOF' [Desktop Entry] Version=1.0 Type=Application Name=OWASP ZAP Comment=Web Application Security Scanner Exec=/opt/zaproxy/zap.sh Icon=/opt/zaproxy/zap.ico Terminal=false Categories=Development;Security; EOF
chmod +x ~/Desktop/OWASP-ZAP.desktop ```_
CentOS/RHEL Installation¶
```bash
Install Java¶
sudo yum install -y java-11-openjdk java-11-openjdk-devel
Verify Java installation¶
java -version
Download ZAP¶
wget https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_unix.sh chmod +x ZAP_2_14_0_unix.sh sudo ./ZAP_2_14_0_unix.sh
Alternative: Install via RPM¶
wget https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_Linux.tar.gz tar -xzf ZAP_2_14_0_Linux.tar.gz sudo mv ZAP_2.14.0 /opt/zaproxy sudo ln -sf /opt/zaproxy/zap.sh /usr/local/bin/zap
Install Firefox for browser integration¶
sudo yum install -y firefox
Verify installation¶
zap --version ```_
macOS Installation¶
```bash
Install using Homebrew¶
brew install --cask owasp-zap
Alternative: Download installer¶
https://github.com/zaproxy/zaproxy/releases¶
Install Java if needed¶
brew install openjdk@11
Verify installation¶
/Applications/OWASP ZAP.app/Contents/MacOS/OWASP ZAP.sh -version
Create command line alias¶
echo 'alias zap="/Applications/OWASP ZAP.app/Contents/MacOS/OWASP ZAP.sh"' >``> ~/.zshrc source ~/.zshrc ```_
Windows Installation¶
```bash
Download Windows installer¶
https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_windows.exe¶
Install using Chocolatey¶
choco install zap
Install using Scoop¶
scoop bucket add extras scoop install owasp-zap
Verify installation¶
"C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe" -version
Add to PATH¶
setx PATH "%PATH%;C:\Program Files\OWASP\Zed Attack Proxy" ```_
Docker Installation¶
Laufen OWASP ZAP in Docker:
```bash
Pull official ZAP image¶
docker pull owasp/zap2docker-stable
Run ZAP daemon¶
docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080
Run ZAP with GUI (requires X11 forwarding)¶
docker run -u zap -p 8080:8080 -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix owasp/zap2docker-stable zap.sh
Run baseline scan¶
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://example.com
Run full scan¶
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com
Run API scan¶
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-api-scan.py -t https://example.com/api/openapi.json
Create custom Dockerfile¶
cat > Dockerfile.zap << 'EOF' FROM owasp/zap2docker-stable
Install additional tools¶
USER root RUN apt-get update && apt-get install -y \ curl \ jq \ python3-pip
Install Python dependencies¶
RUN pip3 install requests beautifulsoup4
Switch back to zap user¶
USER zap
Set working directory¶
WORKDIR /zap
Default command¶
CMD ["zap.sh", "-daemon", "-host", "0.0.0.0", "-port", "8080"] EOF
Build custom image¶
docker build -f Dockerfile.zap -t zap-custom .
Run custom image¶
docker run -p 8080:8080 zap-custom ```_
Basisnutzung¶
GUI Schnittstelle¶
Mit ZAPs grafischer Schnittstelle:
```bash
Start ZAP GUI¶
zap.sh
Start with specific configuration¶
zap.sh -config api.key=your-api-key
Start with custom memory allocation¶
zap.sh -Xmx2g
Start with specific session file¶
zap.sh -session /path/to/session.session
Start with addon directory¶
zap.sh -addoninstalldir /path/to/addons
Configure proxy settings¶
Tools > Options > Local Proxies¶
Default: localhost:8080¶
Configure browser proxy¶
Firefox: Preferences > Network Settings¶
Set HTTP Proxy: localhost:8080¶
Check "Use this proxy server for all protocols"¶
Import CA certificate¶
Tools > Options > Dynamic SSL Certificates¶
Save certificate and import to browser¶
Manual explore mode¶
Navigate through application manually¶
ZAP will passively scan all traffic¶
Automated scan¶
Right-click on target in Sites tree¶
Select "Attack" > "Active Scan"¶
```_
Kommandozeilenschnittstelle¶
ZAP aus der Befehlszeile verwenden:
```bash
Start ZAP daemon¶
zap.sh -daemon -host localhost -port 8080
Start with API key¶
zap.sh -daemon -config api.key=your-api-key
Start headless (no GUI)¶
zap.sh -daemon -host 0.0.0.0 -port 8080
Quick baseline scan¶
zap-baseline.py -t https://example.com
Full scan with report¶
zap-full-scan.py -t https://example.com -r zap-report.html
API scan¶
zap-api-scan.py -t https://example.com/api/swagger.json
Custom scan with configuration¶
zap.sh -daemon -quickurl https://example.com -quickout zap-report.html
Scan with authentication¶
zap.sh -daemon -quickurl https://example.com -quickauth username:password
Scan with custom rules¶
zap.sh -daemon -quickurl https://example.com -quickrules /path/to/rules.conf ```_
Proxy Konfiguration¶
ZAP als abfangende Proxy einrichten:
```bash
Configure ZAP proxy¶
Default settings:¶
Address: localhost¶
Port: 8080¶
Configure browser proxy (Firefox)¶
about:preferences#general¶
Network Settings > Settings¶
Manual proxy configuration:¶
HTTP Proxy: localhost Port: 8080¶
HTTPS Proxy: localhost Port: 8080¶
Configure browser proxy (Chrome)¶
Settings > Advanced > System > Open proxy settings¶
Or use command line:¶
google-chrome --proxy-server="localhost:8080"
Configure system proxy (Linux)¶
export http_proxy=http://localhost:8080 export https_proxy=http://localhost:8080
Configure curl to use ZAP proxy¶
curl --proxy localhost:8080 https://example.com
Configure wget to use ZAP proxy¶
wget --proxy=on --http-proxy=localhost:8080 https://example.com
Import ZAP CA certificate¶
Tools > Options > Dynamic SSL Certificates¶
Click "Save" to export certificate¶
Import certificate to browser/system trust store¶
Certificate import (Firefox)¶
about:preferences#privacy¶
Certificates > View Certificates > Authorities > Import¶
Certificate import (Chrome)¶
Settings > Privacy and security > Security > Manage certificates¶
Authorities > Import¶
Certificate import (Linux system)¶
sudo cp owasp_zap_root_ca.cer /usr/local/share/ca-certificates/ sudo update-ca-certificates ```_
Erweiterte Funktionen¶
Automatisches Scannen¶
Automatische Scans konfigurieren und ausführen:
```bash
Spider configuration¶
Tools > Options > Spider¶
Max Depth: 5¶
Max Children: 0 (unlimited)¶
Max Duration: 0 (unlimited)¶
Request Delay: 0ms¶
Active scan configuration¶
Tools > Options > Active Scan¶
Threads per host: 2¶
Max rule duration: 0 (unlimited)¶
Max scan duration: 0 (unlimited)¶
Delay when scanning: 0ms¶
Passive scan configuration¶
Tools > Options > Passive Scanner¶
Enable all rules¶
Max alerts per rule: 0 (unlimited)¶
Start spider scan¶
Right-click target in Sites tree¶
Attack > Spider¶
Start active scan¶
Right-click target in Sites tree¶
Attack > Active Scan¶
Configure scan policy¶
Analyse > Scan Policy Manager¶
Create new policy or modify existing¶
Enable/disable specific rules¶
Set attack strength levels¶
Custom scan script¶
!/bin/bash¶
ZAP_API_KEY="your-api-key" TARGET_URL="https://example.com"
Start ZAP daemon¶
zap.sh -daemon -config api.key=$ZAP_API_KEY & sleep 30
Spider the target¶
curl "http://localhost:8080/JSON/spider/action/scan/?url=\(TARGET_URL&apikey;=\)ZAP_API_KEY"
Wait for spider to complete¶
while [ \((curl -s "http://localhost:8080/JSON/spider/view/status/?apikey=\)ZAP_API_KEY"|jq -r '.status') != "100" ]; do echo "Spider progress: \((curl -s "http://localhost:8080/JSON/spider/view/status/?apikey=\)ZAP_API_KEY"|jq -r '.status')%" sleep 10 done
Start active scan¶
curl "http://localhost:8080/JSON/ascan/action/scan/?url=\(TARGET_URL&apikey;=\)ZAP_API_KEY"
Wait for active scan to complete¶
while [ \((curl -s "http://localhost:8080/JSON/ascan/view/status/?apikey=\)ZAP_API_KEY"|jq -r '.status') != "100" ]; do echo "Active scan progress: \((curl -s "http://localhost:8080/JSON/ascan/view/status/?apikey=\)ZAP_API_KEY"|jq -r '.status')%" sleep 30 done
Generate report¶
curl "http://localhost:8080/OTHER/core/other/htmlreport/?apikey=$ZAP_API_KEY" > zap-report.html
echo "Scan completed. Report saved to zap-report.html" ```_
Authentication¶
Konfiguration der Authentifizierung für geschützte Anwendungen:
```bash
Form-based authentication¶
Tools > Options > Authentication¶
Select "Form-based Authentication"¶
Login URL: https://example.com/login¶
Username parameter: username¶
Password parameter: password¶
Username: testuser¶
Password: testpass¶
Logged in indicator: "Welcome"¶
Logged out indicator: "Login"¶
Script-based authentication¶
Create authentication script¶
cat > auth_script.js << 'EOF' function authenticate(helper, paramsValues, credentials) \\{ var msg = helper.prepareMessage(); msg.setRequestHeader("Content-Type", "application/json"); msg.setRequestBody('\\{"username":"' + credentials.getParam("username") + '","password":"' + credentials.getParam("password") + '"\\}'); helper.sendAndReceive(msg, false);
return msg;
\\}
function getRequiredParamsNames() \\{ return ["username", "password"]; \\}
function getOptionalParamsNames() \\{ return []; \\}
function getCredentialsParamsNames() \\{ return ["username", "password"]; \\} EOF
HTTP/NTLM authentication¶
Tools > Options > Authentication¶
Select "HTTP/NTLM Authentication"¶
Hostname: example.com¶
Realm: DOMAIN¶
Username: user¶
Password: pass¶
API key authentication¶
Tools > Options > Authentication¶
Select "Script-based Authentication"¶
Add API key to headers or parameters¶
Session management¶
Tools > Options > Session Management¶
Cookie-based session management (default)¶
HTTP authentication session management¶
Script-based session management¶
User management¶
Tools > Options > Users¶
Add users for authenticated scanning¶
Configure credentials for each user¶
```_
Fuzzing¶
ZAPs Fuzzing-Funktionen nutzen:
```bash
Manual fuzzing¶
Right-click on request in History¶
Attack > Fuzz¶
Configure fuzz locations¶
Select text to fuzz¶
Add fuzz location¶
Choose payload type:¶
- File¶
- Strings¶
- Numberzz¶
- Regex¶
Common fuzz payloads¶
SQL injection payloads¶
' OR '1'='1 '; DROP TABLE users; -- ' UNION SELECT null,null,null--
XSS payloads¶
javascript:alert('XSS')
Directory traversal payloads¶
../../../etc/passwd ........\windows\system32\drivers\etc\hosts %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
Command injection payloads¶
; ls -la
|whoami
& dir
id
Custom fuzzing script¶
!/bin/bash¶
Automated fuzzing with ZAP API¶
ZAP_API_KEY="your-api-key" TARGET_URL="https://example.com/search?q=test"
Create fuzz payload file¶
cat > fuzz_payloads.txt << 'EOF'
' OR '1'='1 ../../../etc/passwd ; ls -la $\\{7*7\\} \\{\\{7*7\\}\\} EOF
Start fuzzing via API¶
curl -X POST "http://localhost:8080/JSON/fuzzer/action/addPayload/" \ -d "type=file&file;=fuzz_payloads.txt&apikey;=$ZAP_API_KEY"
Monitor fuzzing progress¶
curl "http://localhost:8080/JSON/fuzzer/view/scans/?apikey=$ZAP_API_KEY" ```_
Skript und Automatisierung¶
Erweiterte Skriptfunktionen:
```bash
JavaScript scripting¶
Tools > Options > Scripts¶
Create new script¶
Passive scan script example¶
cat > passive_scan_script.js << 'EOF' function scan(ps, msg, src) \\{ var body = msg.getResponseBody().toString(); var url = msg.getRequestHeader().getURI().toString();
// Check for sensitive information disclosure
| | if (body.indexOf("password") != -1 | | body.indexOf("secret") != -1) \\{ | | ps.raiseAlert( 1, // Risk: High 1, // Confidence: High "Sensitive Information Disclosure", "The response contains sensitive information", url, "", "", "Remove sensitive information from responses", body, 0, // CWE ID 13, // WASC ID msg ); \\} \\} EOF
Active scan script example¶
cat > active_scan_script.js << 'EOF' function scan(as, msg, param, value) \\{ var newMsg = msg.cloneRequest();
// Test for SQL injection
var sqlPayload = "' OR '1'='1";
as.setParam(newMsg, param, sqlPayload);
as.sendAndReceive(newMsg, false, false);
var response = newMsg.getResponseBody().toString();
| | if (response.indexOf("SQL syntax") != -1 | | response.indexOf("mysql_fetch") != -1) \\{ | | as.raiseAlert( 3, // Risk: High 2, // Confidence: Medium "SQL Injection", "Possible SQL injection vulnerability", newMsg.getRequestHeader().getURI().toString(), param, sqlPayload, "Use parameterized queries", response, 89, // CWE ID 19, // WASC ID newMsg ); \\} \\} EOF
Python scripting¶
cat > zap_automation.py ``<< 'EOF'
!/usr/bin/env python3¶
import time import requests import json
class ZAPAutomation: def init(self, zap_url="http://localhost:8080", api_key=None): self.zap_url = zap_url self.api_key = api_key
def spider_scan(self, target_url):
"""Start spider scan"""
params = \\\{
'url': target_url,
'apikey': self.api_key
\\\}
response = requests.get(f"\\\{self.zap_url\\\}/JSON/spider/action/scan/", params=params)
return response.json()
def active_scan(self, target_url):
"""Start active scan"""
params = \\\{
'url': target_url,
'apikey': self.api_key
\\\}
response = requests.get(f"\\\{self.zap_url\\\}/JSON/ascan/action/scan/", params=params)
return response.json()
def get_alerts(self):
"""Get all alerts"""
params = \\\{
'apikey': self.api_key
\\\}
response = requests.get(f"\\\{self.zap_url\\\}/JSON/core/view/alerts/", params=params)
return response.json()
def generate_report(self, format='html'):
"""Generate scan report"""
params = \\\{
'apikey': self.api_key
\\\}
if format == 'html':
response = requests.get(f"\\\{self.zap_url\\\}/OTHER/core/other/htmlreport/", params=params)
elif format == 'xml':
response = requests.get(f"\\\{self.zap_url\\\}/OTHER/core/other/xmlreport/", params=params)
elif format == 'json':
response = requests.get(f"\\\{self.zap_url\\\}/JSON/core/view/alerts/", params=params)
return response.json()
return response.text
Usage example¶
if name == "main": zap = ZAPAutomation(api_key="your-api-key")
# Start spider scan
target = "https://example.com"
spider_result = zap.spider_scan(target)
print(f"Spider scan started: \\\{spider_result\\\}")
# Wait for spider to complete
time.sleep(60)
# Start active scan
active_result = zap.active_scan(target)
print(f"Active scan started: \\\{active_result\\\}")
# Wait for active scan to complete
time.sleep(300)
# Get alerts
alerts = zap.get_alerts()
print(f"Found \\\{len(alerts['alerts'])\\\} alerts")
# Generate report
report = zap.generate_report('html')
with open('zap_report.html', 'w') as f:
f.write(report)
print("Report saved to zap_report.html")
EOF ```_
Integrationsbeispiele¶
CI/CD Integration¶
```yaml
GitLab CI/CD Pipeline¶
stages: - security-test
zap-security-scan: stage: security-test image: owasp/zap2docker-stable script: # Baseline scan - zap-baseline.py -t $TARGET_URL -r baseline-report.html
# Full scan for staging environment
-|
if [ "$CI_COMMIT_REF_NAME" = "staging" ]; then
zap-full-scan.py -t $TARGET_URL -r full-report.html
fi
# API scan if OpenAPI spec exists
-|
if [ -f "openapi.json" ]; then
zap-api-scan.py -t $TARGET_URL -f openapi -r api-report.html
fi
artifacts: when: always paths: - "*.html" reports: junit: zap-report.xml
allow_failure: true
GitHub Actions Workflow¶
name: Security Scan with OWASP ZAP
on: push: branches: [ main, develop ] pull_request: branches: [ main ]
jobs: zap-scan: runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'https://example.com'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
- name: ZAP Full Scan
uses: zaproxy/action-full-scan@v0.4.0
with:
target: 'https://example.com'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
- name: Upload ZAP Reports
uses: actions/upload-artifact@v2
with:
name: zap-reports
path: |
report_html.html
report_json.json
Jenkins Pipeline¶
pipeline \{ agent \{ docker \{ image 'owasp/zap2docker-stable' args '-u root --entrypoint=' \} \}
environment \\\{
TARGET_URL = 'https: //example.com'
ZAP_API_KEY = credentials('zap-api-key')
\\\}
stages \\\{
stage('ZAP Security Scan') \\\{
parallel \\\{
stage('Baseline Scan') \\\{
steps \\\{
script \\\{
sh '''
zap-baseline.py -t $TARGET_URL \
-r baseline-report.html \
-x baseline-report.xml
'''
\\\}
\\\}
\\\}
stage('API Scan') \\\{
when \\\{
expression \\\{ fileExists('swagger.json') \\\}
\\\}
steps \\\{
script \\\{
sh '''
zap-api-scan.py -t $TARGET_URL \
-f openapi \
-r api-report.html \
-x api-report.xml
'''
\\\}
\\\}
\\\}
\\\}
\\\}
stage('Process Results') \\\{
steps \\\{
// Archive reports
archiveArtifacts artifacts: '*.html,*.xml', fingerprint: true
// Publish test results
publishTestResults testResultsPattern: '*.xml'
// Publish HTML reports
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: '*.html',
reportName: 'ZAP Security Report'
])
\\\}
\\\}
\\\}
post \\\{
always \\\{
// Clean up
sh 'rm -f *.html *.xml'
\\\}
failure \\\{
// Send notification
emailext (
subject: "Security Scan Failed: $\\\{env.JOB_NAME\\\} - $\\\{env.BUILD_NUMBER\\\}",
body: "ZAP security scan failed. Check console output for details.",
to: "$\\\{env.SECURITY_TEAM_EMAIL\\\}"
)
\\\}
\\\}
\} ```_
Fehlerbehebung¶
Gemeinsame Themen¶
Proxy-Konfigurationsprobleme: ```bash
Check ZAP proxy status¶
curl -x localhost:8080 http://httpbin.org/ip
Test HTTPS through proxy¶
curl -x localhost:8080 -k https://httpbin.org/ip
Check certificate installation¶
openssl s_client -connect localhost:8080 -servername example.com
Reset proxy settings¶
Tools >`` Options > Local Proxies > Reset to defaults¶
Clear browser proxy cache¶
Firefox: about:networking#dns > Clear DNS Cache¶
Chrome: chrome://net-internals/#dns > Clear host cache¶
```_
Memory Issues: ```bash
Increase memory allocation¶
zap.sh -Xmx4g
Monitor memory usage¶
Help > Support Info > Memory¶
Optimize for large applications¶
Tools > Options > Spider > Max Depth: 3¶
Tools > Options > Active Scan > Threads per host: 1¶
Clear session data¶
File > New Session¶
```_
Leistungsfragen: ```bash
Reduce scan intensity¶
Tools > Options > Active Scan > Attack mode: Safe¶
Limit scan scope¶
Tools > Options > Active Scan > Input vectors: Reduce selection¶
Increase delays¶
Tools > Options > Active Scan > Delay when scanning: 1000ms¶
Use scan policies¶
Analyse > Scan Policy Manager > Create lightweight policy¶
```_
Authentifizierungsfragen: ```bash
Verify authentication configuration¶
Tools > Options > Authentication > Test authentication¶
Check session management¶
Tools > Options > Session Management > Verify session handling¶
Monitor authentication in History tab¶
Look for login/logout requests¶
Use manual authentication¶
Manually log in through ZAP proxy¶
Right-click authenticated request > Flag as Context > Authentication¶
Debug authentication script¶
Add logging to authentication script¶
Check ZAP logs for errors¶
```_
API Fehlerbehebung¶
Debugging ZAP API Probleme:
```bash
Test API connectivity¶
curl "http://localhost:8080/JSON/core/view/version/"
Check API key¶
curl "http://localhost:8080/JSON/core/view/version/?apikey=your-api-key"
Enable API debugging¶
Tools > Options > API > Enable debug logging¶
Check API logs¶
tail -f ~/.ZAP/zap.log|grep API
Test specific API endpoints¶
curl "http://localhost:8080/JSON/spider/view/status/?apikey=your-api-key" curl "http://localhost:8080/JSON/ascan/view/status/?apikey=your-api-key"
Validate API responses¶
curl -s "http://localhost:8080/JSON/core/view/alerts/?apikey=your-api-key"|jq . ```_
Sicherheitsüberlegungen¶
Operationelle Sicherheit¶
** Sicherheitstests:** - Nur Testanwendungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Verwenden Sie isolierte Testumgebungen, um die Datenexposition zu verhindern - Implementierung einer richtigen Netzwerksegmentierung für Sicherheitstests - Konfigurieren Sie geeignete Scan-Richtlinien, um Servicestörungen zu vermeiden - Überwachen Sie die Anwendungsleistung beim Testen
Datenschutz: - Verschlüsseln Sie ZAP Sitzungsdateien und Berichte mit sensiblen Daten - Implementierung sicherer Datenspeicherrichtlinien für Scan-Ergebnisse - Zugriff auf ZAP-Installationen und Konfigurationsdateien steuern - Sichere Übertragung von Scanberichten und Befunden - Regelmäßige Reinigung von temporären Dateien und Sitzungsdaten
Defensive Überlegungen¶
** Erkennung und Prävention:** - Monitor für ZAP Benutzer Agenten und Scan-Muster - Implementierung von Web Application Firewalls (WAF) mit Sicherheitstesterkennung - Bereitstellung von Anwendungssicherheitsüberwachung und Anomalieerkennung - Regelmäßige Sicherheitscodebewertungen und statische Analyse - Durchführung einer ordnungsgemäßen Eingangsvalidierung und Ausgangscodierung
Referenzen¶
- OWASP ZAP Offizielle Dokumentation
- [ZAP GitHub Repository](https://LINK_5_
- ZAP API Dokumentation
- OWASP Web Security Testing Guide
- ZAP Docker Bilder