OWASP ZAP hoja de trucos
Overview
OWASP ZAP (Zed Attack Proxy) is one of the world's most popular free security tools and is actively maintained by hundreds of international volunteers. ZAP is a comprehensive aplicación web security scanner that helps developers and security professionals automatically find security vulnerabilities in aplicación webs during development and testing phases. Developed by the Open aplicación web Security Project (OWASP), ZAP provides both automated scanning capabilities and manual testing tools, making it suitable for both security novices and experienced penetration testers.
The core strength of OWASP ZAP lies in its intercepting proxy functionality, which allows security professionals to intercept, inspect, and modify HTTP/HTTPS traffic between web browsers and applications in real-time. This man-in-the-middle capability enables comprehensive security testing by providing visibility into all client-server communications, including AJAX requests, Websocket conexións, and API calls. ZAP's automated scanner can detect a wide range of security vulnerabilities including inyección SQL, cross-site scripting (XSS) (XSS), cross-site request forgery (CSRF), directory traversal, and many other OWASP Top 10 vulnerabilities, while its passive scanning capabilities continuously monitor traffic for security issues without actively attacking the application.
ZAP's extensive feature set includes advanced spidering capabilities for comprehensive application discovery, fuzzing tools for input validation testing, and a powerful scripting engine that suppuertos multiple programming languages for custom security tests. The platform offers both desktop GUI and comando-line interfaces, making it suitable for interactive testing and automated CI/CD integration. With its comprehensive API, extensive plugin ecosystem, and active community suppuerto, OWASP ZAP provides enterprise-grade aplicación web security testing capabilities while remaining completely free and open-source, making it an essential tool for organizations implementing DevSecOps practices and security-first development methodologies.
instalación
Ubuntu/Debian instalación
Installing OWASP ZAP on Ubuntu/Debian systems:
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install Java (required for ZAP)
sudo apt install -y openjdk-11-jdk
# Verify Java instalación
java -version
# Download and install ZAP
wget https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_unix.sh
chmod +x ZAP_2_14_0_unix.sh
sudo ./ZAP_2_14_0_unix.sh
# Alternative: Install via Snap
sudo snap install zaproxy --classic
# Alternative: Install via APT (may be older version)
sudo apt install -y zaproxy
# Install ZAP demonio for headless operation
sudo apt install -y zaproxy-demonio
# Verify instalación
zap.sh -version
# Install additional dependencies
sudo apt install -y firefox-esr xvfb
# Create desktop shortcut
cat > ~/Desktop/OWASP-ZAP.desktop ``<< 'EOF'
[Desktop Entry]
Version=1.0
Type=Application
Name=OWASP ZAP
Comment=aplicación web Security Scanner
Exec=/opt/zaproxy/zap.sh
Icon=/opt/zaproxy/zap.ico
Terminal=false
Categories=Development;Security;
EOF
chmod +x ~/Desktop/OWASP-ZAP.desktop
CentOS/RHEL instalación
# Install Java
sudo yum install -y java-11-openjdk java-11-openjdk-devel
# Verify Java instalación
java -version
# Download ZAP
wget https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_unix.sh
chmod +x ZAP_2_14_0_unix.sh
sudo ./ZAP_2_14_0_unix.sh
# Alternative: Install via RPM
wget https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_Linux.tar.gz
tar -xzf ZAP_2_14_0_Linux.tar.gz
sudo mv ZAP_2.14.0 /opt/zaproxy
sudo ln -sf /opt/zaproxy/zap.sh /usr/local/bin/zap
# Install Firefox for browser integration
sudo yum install -y firefox
# Verify instalación
zap --version
macOS instalación
# Install using Homebrew
brew install --cask owasp-zap
# Alternative: Download installer
# https://github.com/zaproxy/zaproxy/releases
# Install Java if needed
brew install openjdk@11
# Verify instalación
/Applications/OWASP\ ZAP.app/Contents/MacOS/OWASP\ ZAP.sh -version
# Create comando line alias
echo 'alias zap="/Applications/OWASP\ ZAP.app/Contents/MacOS/OWASP\ ZAP.sh"' >``> ~/.zshrc
source ~/.zshrc
Windows instalación
# Download Windows installer
# https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2_14_0_windows.exe
# Install using Chocolatey
choco install zap
# Install using Scoop
scoop bucket add extras
scoop install owasp-zap
# Verify instalación
"C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe" -version
# Add to PATH
setx PATH "%PATH%;C:\Program Files\OWASP\Zed Attack Proxy"
Docker instalación
Running OWASP ZAP in Docker:
# Pull official ZAP image
docker pull owasp/zap2docker-stable
# Run ZAP demonio
docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -demonio -host 0.0.0.0 -puerto 8080
# Run ZAP with GUI (requires X11 forwarding)
docker run -u zap -p 8080:8080 -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix owasp/zap2docker-stable zap.sh
# Run baseline scan
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://ejemplo.com
# Run full scan
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://ejemplo.com
# Run API scan
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-api-scan.py -t https://ejemplo.com/api/openapi.json
# Create custom Dockerfile
cat > Dockerfile.zap << 'EOF'
FROM owasp/zap2docker-stable
# Install additional tools
USER root
RUN apt-get update && apt-get install -y \
curl \
jq \
python3-pip
# Install Python dependencies
RUN pip3 install requests beautifulsoup4
# Switch back to zap user
USER zap
# Set working directory
WORKDIR /zap
# Default comando
CMD ["zap.sh", "-demonio", "-host", "0.0.0.0", "-puerto", "8080"]
EOF
# Build custom image
docker build -f Dockerfile.zap -t zap-custom .
# Run custom image
docker run -p 8080:8080 zap-custom
Basic uso
GUI Interface
Using ZAP's graphical interface:
# Start ZAP GUI
zap.sh
# Start with specific configuración
zap.sh -config api.clave=your-api-clave
# Start with custom memory allocation
zap.sh -Xmx2g
# Start with specific sesión file
zap.sh -sesión /path/to/sesión.sesión
# Start with addon directory
zap.sh -addoninstalldir /path/to/addons
# Configure proxy settings
# Tools > opcións > Local Proxies
# Default: localhost:8080
# Configure browser proxy
# Firefox: Preferencias > Network Settings
# Set HTTP Proxy: localhost:8080
# Check "Use this proxy server for all protocolos"
# Impuerto CA certificado
# Tools > opcións > Dynamic SSL certificados
# Save certificado and impuerto to browser
# Manual explore mode
# Navigate through application manually
# ZAP will passively scan all traffic
# Automated scan
# Right-click on objetivo in Sites tree
# Select "Attack" > "Active Scan"
comando Line Interface
Using ZAP from comando line:
# Start ZAP demonio
zap.sh -demonio -host localhost -puerto 8080
# Start with API clave
zap.sh -demonio -config api.clave=your-api-clave
# Start headless (no GUI)
zap.sh -demonio -host 0.0.0.0 -puerto 8080
# Quick baseline scan
zap-baseline.py -t https://ejemplo.com
# Full scan with repuerto
zap-full-scan.py -t https://ejemplo.com -r zap-repuerto.html
# API scan
zap-api-scan.py -t https://ejemplo.com/api/swagger.json
# Custom scan with configuración
zap.sh -demonio -quickurl https://ejemplo.com -quickout zap-repuerto.html
# Scan with autenticación
zap.sh -demonio -quickurl https://ejemplo.com -quickauth nombre de usuario:contraseña
# Scan with custom rules
zap.sh -demonio -quickurl https://ejemplo.com -quickrules /path/to/rules.conf
Proxy configuración
Setting up ZAP as intercepting proxy:
# Configure ZAP proxy
# Default settings:
# Address: localhost
# puerto: 8080
# Configure browser proxy (Firefox)
# about:preferencias#general
# Network Settings > Settings
# Manual proxy configuración:
# HTTP Proxy: localhost puerto: 8080
# HTTPS Proxy: localhost puerto: 8080
# Configure browser proxy (Chrome)
# Settings > Advanced > System > Open proxy settings
# Or use comando line:
google-chrome --proxy-server="localhost:8080"
# Configure system proxy (Linux)
expuerto http_proxy=http://localhost:8080
expuerto https_proxy=http://localhost:8080
# Configure curl to use ZAP proxy
curl --proxy localhost:8080 https://ejemplo.com
# Configure wget to use ZAP proxy
wget --proxy=on --http-proxy=localhost:8080 https://ejemplo.com
# Impuerto ZAP CA certificado
# Tools > opcións > Dynamic SSL certificados
# Click "Save" to expuerto certificado
# Impuerto certificado to browser/system trust store
# certificado impuerto (Firefox)
# about:preferencias#privacy
# certificados > View certificados > Authorities > Impuerto
# certificado impuerto (Chrome)
# Settings > Privacy and security > Security > Manage certificados
# Authorities > Impuerto
# certificado impuerto (Linux system)
sudo cp owasp_zap_root_ca.cer /usr/local/share/ca-certificados/
sudo update-ca-certificados
Advanced Features
Automated Scanning
Configuring and running automated scans:
# Spider configuración
# Tools > opcións > Spider
# Max Depth: 5
# Max Children: 0 (unlimited)
# Max Duration: 0 (unlimited)
# Request Delay: 0ms
# Active scan configuración
# Tools > opcións > Active Scan
# hilos per host: 2
# Max rule duration: 0 (unlimited)
# Max scan duration: 0 (unlimited)
# Delay when scanning: 0ms
# Passive scan configuración
# Tools > opcións > Passive Scanner
# Enable all rules
# Max alerts per rule: 0 (unlimited)
# Start spider scan
# Right-click objetivo in Sites tree
# Attack > Spider
# Start active scan
# Right-click objetivo in Sites tree
# Attack > Active Scan
# Configure scan policy
# Analyse > Scan Policy Manager
# Create new policy or modify existing
# Enable/disable specific rules
# Set attack strength levels
# Custom scan script
#!/bin/bash
ZAP_API_clave="your-api-clave"
objetivo_URL="https://ejemplo.com"
# Start ZAP demonio
zap.sh -demonio -config api.clave=$ZAP_API_clave &
sleep 30
# Spider the objetivo
curl "http://localhost:8080/JSON/spider/action/scan/?url=$objetivo_URL&apiclave;=$ZAP_API_clave"
# Wait for spider to complete
while [ $(curl -s "http://localhost:8080/JSON/spider/view/status/?apiclave=$ZAP_API_clave"|jq -r '.status') != "100" ]; do
echo "Spider progress: $(curl -s "http://localhost:8080/JSON/spider/view/status/?apiclave=$ZAP_API_clave"|jq -r '.status')%"
sleep 10
done
# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=$objetivo_URL&apiclave;=$ZAP_API_clave"
# Wait for active scan to complete
while [ $(curl -s "http://localhost:8080/JSON/ascan/view/status/?apiclave=$ZAP_API_clave"|jq -r '.status') != "100" ]; do
echo "Active scan progress: $(curl -s "http://localhost:8080/JSON/ascan/view/status/?apiclave=$ZAP_API_clave"|jq -r '.status')%"
sleep 30
done
# Generate repuerto
curl "http://localhost:8080/OTHER/core/other/htmlrepuerto/?apiclave=$ZAP_API_clave" > zap-repuerto.html
echo "Scan completed. Repuerto saved to zap-repuerto.html"
autenticación
Configuring autenticación for protected applications:
# Form-based autenticación
# Tools > opcións > autenticación
# Select "Form-based autenticación"
# Login URL: https://ejemplo.com/login
# nombre de usuario parámetro: nombre de usuario
# contraseña parámetro: contraseña
# nombre de usuario: testuser
# contraseña: testpass
# Logged in indicator: "Welcome"
# Logged out indicator: "Login"
# Script-based autenticación
# Create autenticación script
cat > auth_script.js << 'EOF'
function authenticate(helper, paramsValues, credenciales) \\\\{
var msg = helper.prepareMessage();
msg.setRequestHeader("Content-Type", "application/json");
msg.setRequestBody('\\\\{"nombre de usuario":"' + credenciales.getParam("nombre de usuario") + '","contraseña":"' + credenciales.getParam("contraseña") + '"\\\\}');
helper.sendAndReceive(msg, false);
return msg;
\\\\}
function getRequiredParamsNames() \\\\{
return ["nombre de usuario", "contraseña"];
\\\\}
function getopciónalParamsNames() \\\\{
return [];
\\\\}
function getcredencialesParamsNames() \\\\{
return ["nombre de usuario", "contraseña"];
\\\\}
EOF
# HTTP/NTLM autenticación
# Tools > opcións > autenticación
# Select "HTTP/NTLM autenticación"
# hostname: ejemplo.com
# Realm: DOMAIN
# nombre de usuario: user
# contraseña: pass
# API clave autenticación
# Tools > opcións > autenticación
# Select "Script-based autenticación"
# Add API clave to headers or parámetros
# sesión management
# Tools > opcións > sesión Management
# Cookie-based sesión management (default)
# HTTP autenticación sesión management
# Script-based sesión management
# User management
# Tools > opcións > Users
# Add users for authenticated scanning
# Configure credenciales for each user
Fuzzing
Using ZAP's fuzzing capabilities:
# Manual fuzzing
# Right-click on request in History
# Attack > Fuzz
# Configure fuzz locations
# Select text to fuzz
# Add fuzz location
# Choose payload type:
# - File
# - Strings
# - Numberzz
# - Regex
# Common fuzz payloads
# inyección SQL payloads
' OR '1'='1
'; DROP TABLE users; --
' UNION SELECT null,null,null--
# XSS payloads
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
javascript:alert('XSS')
# Directory traversal payloads
../../../etc/passwd
..\..\..\..\windows\system32\drivers\etc\hosts
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
# inyección de comandos payloads
; ls -la
|whoami
& dir
`id`
# Custom fuzzing script
#!/bin/bash
# Automated fuzzing with ZAP API
ZAP_API_clave="your-api-clave"
objetivo_URL="https://ejemplo.com/search?q=test"
# Create fuzz payload file
cat > fuzz_payloads.txt << 'EOF'
<script>alert('XSS')</script>
' OR '1'='1
../../../etc/passwd
; ls -la
$\\\\{7*7\\\\}
\\\\{\\\\{7*7\\\\}\\\\}
EOF
# Start fuzzing via API
curl -X POST "http://localhost:8080/JSON/fuzzer/action/addpayload/" \
-d "type=file&file;=fuzz_payloads.txt&apiclave;=$ZAP_API_clave"
# Monitor fuzzing progress
curl "http://localhost:8080/JSON/fuzzer/view/scans/?apiclave=$ZAP_API_clave"
Scripting and Automation
Advanced scripting capabilities:
# JavaScript scripting
# Tools > opcións > Scripts
# Create new script
# Passive scan script ejemplo
cat > passive_scan_script.js << 'EOF'
function scan(ps, msg, src) \\\\{
var body = msg.getResponseBody().toString();
var url = msg.getRequestHeader().getURI().toString();
// Check for sensitive information disclosure
| if (body.indexOf("contraseña") != -1 | | body.indexOf("secret") != -1) \\\\{ |
ps.raiseAlert(
1, // Risk: High
1, // Confidence: High
"Sensitive Information Disclosure",
"The response contains sensitive information",
url,
"",
"",
"Remove sensitive information from responses",
body,
0, // CWE ID
13, // WASC ID
msg
);
\\\\}
\\\\}
EOF
# Active scan script ejemplo
cat > active_scan_script.js << 'EOF'
function scan(as, msg, param, value) \\\\{
var newMsg = msg.cloneRequest();
// Test for inyección SQL
var sqlpayload = "' OR '1'='1";
as.setParam(newMsg, param, sqlpayload);
as.sendAndReceive(newMsg, false, false);
var response = newMsg.getResponseBody().toString();
| if (response.indexOf("SQL sintaxis") != -1 | | response.indexOf("mysql_fetch") != -1) \\\\{ |
as.raiseAlert(
3, // Risk: High
2, // Confidence: Medium
"inyección SQL",
"Possible inyección SQL vulnerabilidad",
newMsg.getRequestHeader().getURI().toString(),
param,
sqlpayload,
"Use parámetroized queries",
response,
89, // CWE ID
19, // WASC ID
newMsg
);
\\\\}
\\\\}
EOF
# Python scripting
cat > zap_automation.py ``<< 'EOF'
#!/usr/bin/env python3
impuerto time
impuerto requests
impuerto json
class ZAPAutomation:
def __init__(self, zap_url="http://localhost:8080", api_clave=None):
self.zap_url = zap_url
self.api_clave = api_clave
def spider_scan(self, objetivo_url):
"""Start spider scan"""
params = \\\{
'url': objetivo_url,
'apiclave': self.api_clave
\\\}
response = requests.get(f"\\\{self.zap_url\\\}/JSON/spider/action/scan/", params=params)
return response.json()
def active_scan(self, objetivo_url):
"""Start active scan"""
params = \\\{
'url': objetivo_url,
'apiclave': self.api_clave
\\\}
response = requests.get(f"\\\{self.zap_url\\\}/JSON/ascan/action/scan/", params=params)
return response.json()
def get_alerts(self):
"""Get all alerts"""
params = \\\{
'apiclave': self.api_clave
\\\}
response = requests.get(f"\\\{self.zap_url\\\}/JSON/core/view/alerts/", params=params)
return response.json()
def generate_repuerto(self, format='html'):
"""Generate scan repuerto"""
params = \\\{
'apiclave': self.api_clave
\\\}
if format == 'html':
response = requests.get(f"\\\{self.zap_url\\\}/OTHER/core/other/htmlrepuerto/", params=params)
elif format == 'xml':
response = requests.get(f"\\\{self.zap_url\\\}/OTHER/core/other/xmlrepuerto/", params=params)
elif format == 'json':
response = requests.get(f"\\\{self.zap_url\\\}/JSON/core/view/alerts/", params=params)
return response.json()
return response.text
# uso ejemplo
if __name__ == "__main__":
zap = ZAPAutomation(api_clave="your-api-clave")
# Start spider scan
objetivo = "https://ejemplo.com"
spider_result = zap.spider_scan(objetivo)
print(f"Spider scan started: \\\{spider_result\\\}")
# Wait for spider to complete
time.sleep(60)
# Start active scan
active_result = zap.active_scan(objetivo)
print(f"Active scan started: \\\{active_result\\\}")
# Wait for active scan to complete
time.sleep(300)
# Get alerts
alerts = zap.get_alerts()
print(f"Found \\\{len(alerts['alerts'])\\\} alerts")
# Generate repuerto
repuerto = zap.generate_repuerto('html')
with open('zap_repuerto.html', 'w') as f:
f.write(repuerto)
print("Repuerto saved to zap_repuerto.html")
EOF
Integration ejemplos
CI/CD Integration
# GitLab CI/CD Pipeline
stages:
- security-test
zap-security-scan:
stage: security-test
image: owasp/zap2docker-stable
script:
# Baseline scan
- zap-baseline.py -t $objetivo_URL -r baseline-repuerto.html
# Full scan for staging environment
-|
if [ "$CI_COMMIT_REF_NAME" = "staging" ]; then
zap-full-scan.py -t $objetivo_URL -r full-repuerto.html
fi
# API scan if OpenAPI spec exists
-|
if [ -f "openapi.json" ]; then
zap-api-scan.py -t $objetivo_URL -f openapi -r api-repuerto.html
fi
artifacts:
when: always
paths:
- "*.html"
repuertos:
junit: zap-repuerto.xml
allow_failure: true
# GitHub Actions Workflow
name: Security Scan with OWASP ZAP
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
zap-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.7.0
with:
objetivo: 'https://ejemplo.com'
rules_file_name: '.zap/rules.tsv'
cmd_opcións: '-a'
- name: ZAP Full Scan
uses: zaproxy/action-full-scan@v0.4.0
with:
objetivo: 'https://ejemplo.com'
rules_file_name: '.zap/rules.tsv'
cmd_opcións: '-a'
- name: Upload ZAP Repuertos
uses: actions/upload-artifact@v2
with:
name: zap-repuertos
path: |
repuerto_html.html
repuerto_json.json
# Jenkins Pipeline
pipeline \\\{
agent \\\{
docker \\\{
image 'owasp/zap2docker-stable'
args '-u root --entrypoint='
\\\}
\\\}
environment \\\{
objetivo_URL = 'https: //ejemplo.com'
ZAP_API_clave = credenciales('zap-api-clave')
\\\}
stages \\\{
stage('ZAP Security Scan') \\\{
parallel \\\{
stage('Baseline Scan') \\\{
steps \\\{
script \\\{
sh '''
zap-baseline.py -t $objetivo_URL \
-r baseline-repuerto.html \
-x baseline-repuerto.xml
'''
\\\}
\\\}
\\\}
stage('API Scan') \\\{
when \\\{
expression \\\{ fileExists('swagger.json') \\\}
\\\}
steps \\\{
script \\\{
sh '''
zap-api-scan.py -t $objetivo_URL \
-f openapi \
-r api-repuerto.html \
-x api-repuerto.xml
'''
\\\}
\\\}
\\\}
\\\}
\\\}
stage('proceso Results') \\\{
steps \\\{
// Archive repuertos
archiveArtifacts artifacts: '*.html,*.xml', huella digital: true
// Publish test results
publishTestResults testResultsPattern: '*.xml'
// Publish HTML repuertos
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
repuertoDir: '.',
repuertoFiles: '*.html',
repuertoName: 'ZAP Security Repuerto'
])
\\\}
\\\}
\\\}
post \\\{
always \\\{
// Clean up
sh 'rm -f *.html *.xml'
\\\}
failure \\\{
// Send notification
emailext (
subject: "Security Scan Failed: $\\\{env.JOB_NAME\\\} - $\\\{env.BUILD_NUMBER\\\}",
body: "ZAP security scan failed. Check console output for details.",
to: "$\\\{env.SECURITY_TEAM_EMAIL\\\}"
)
\\\}
\\\}
\\\}
solución de problemas
Common Issues
Proxy configuración Issues:
# Check ZAP proxy status
curl -x localhost:8080 http://httpbin.org/ip
# Test HTTPS through proxy
curl -x localhost:8080 -k https://httpbin.org/ip
# Check certificado instalación
openssl s_client -connect localhost:8080 -servername ejemplo.com
# Reset proxy settings
# Tools >`` opcións > Local Proxies > Reset to defaults
# Clear browser proxy cache
# Firefox: about:networking#dns > Clear DNS Cache
# Chrome: chrome://net-internals/#dns > Clear host cache
Memory Issues:
# Increase memory allocation
zap.sh -Xmx4g
# Monitor memory uso
# Help > Suppuerto Info > Memory
# Optimize for large applications
# Tools > opcións > Spider > Max Depth: 3
# Tools > opcións > Active Scan > hilos per host: 1
# Clear sesión data
# File > New sesión
Performance Issues:
# Reduce scan intensity
# Tools > opcións > Active Scan > Attack mode: Safe
# Limit scan scope
# Tools > opcións > Active Scan > Input vectors: Reduce selection
# Increase delays
# Tools > opcións > Active Scan > Delay when scanning: 1000ms
# Use scan policies
# Analyse > Scan Policy Manager > Create lightweight policy
autenticación Issues:
# Verify autenticación configuración
# Tools > opcións > autenticación > Test autenticación
# Check sesión management
# Tools > opcións > sesión Management > Verify sesión handling
# Monitor autenticación in History tab
# Look for login/logout requests
# Use manual autenticación
# Manually log in through ZAP proxy
# Right-click authenticated request > bandera as Context > autenticación
# Debug autenticación script
# Add logging to autenticación script
# Check ZAP logs for errors
API solución de problemas
Debugging ZAP API issues:
# Test API connectivity
curl "http://localhost:8080/JSON/core/view/version/"
# Check API clave
curl "http://localhost:8080/JSON/core/view/version/?apiclave=your-api-clave"
# Enable API debugging
# Tools > opcións > API > Enable debug logging
# Check API logs
tail -f ~/.ZAP/zap.log|grep API
# Test specific API endpoints
curl "http://localhost:8080/JSON/spider/view/status/?apiclave=your-api-clave"
curl "http://localhost:8080/JSON/ascan/view/status/?apiclave=your-api-clave"
# Validate API responses
curl -s "http://localhost:8080/JSON/core/view/alerts/?apiclave=your-api-clave"|jq .
Security Considerations
Operational Security
Safe Testing Practices: - Only test applications you own or have explicit permission to test - Use isolated testing environments to prevent data exposure - Implement proper network segmentation for security testing - Configure appropriate scan policies to avoid servicio disruption - Monitor application performance during testing
Data Protection: - Encrypt ZAP sesión files and repuertos containing sensitive data - Implement secure data retention policies for scan results - Control access to ZAP instalacións and configuración files - Secure transmission of scan repuertos and findings - Regular cleanup of temporary files and sesión data
Defensive Considerations
Detection and Prevention: - Monitor for ZAP user agents and scanning patterns - Implement aplicación web Firewalls (WAF) with security testing detection - Deploy application security monitoring and anomaly detection - Regular security code reviews and static analysis - Implement proper input validation and output encoding