Improve company productivity with a Business Account.Sign Up


OWASP ZAP get started. Step 2.

Posted on 2016-09-25
Medium Priority
Last Modified: 2016-10-01
This is a follow up to question after viewing OWASP ZAP get started.

Dear Experts.

If I downloaded outdated version of ZAP, ~/Downloads/ZAP/ZAP_2.5.0$ ./, why their web site offers 2,5 instead of recent and stable?
I only see 2.5:
Is there a newer one?
If this is a newest, why it keeps "outdated" extensions?

Which ever they are plugins or extensions, there seems no way to understand what they are doing and what is their attack scenario:

For example, this folder

contains, just a binary codes, how from binary codes one can know which vulnerability has been targeted, which is an ""International database index"" of
this vulnerability or simply what is vulnerability resproduction scenario?

One of your links leads to:

and it makes an impression that there is exist sort of Java library of attack scenarios. Where is this library? How to find out to which library
program the message in Alert or History tab refers. In my example of

            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...

where is this library program/scenario source code?

5. In my question 5 I am asking how to find a script. You provide and answer to the question "How to create a scrip".
aka: "New Script Button • Navigate to the Scripts tree tab".

Is this still possible to find scrips/scenarios which are used to understans what attack are going on in the out of box ZAP?

2/3/4 a.

"(reports-->"Export Responses to Files"
When I export Alert/Message to a file, it does not export the log of conversation between server and browser,
but instead it just exports the repose of the server. So, it does not show neither: Attack information, nor Evidence information.
Seems, this export very useless.


"...You can write custom payload generator scripts - these can supply any payloads that you need"
Before reenventing a wheel, it seems more practical for net-admin  to use already existing source codes.
Does it really that for every security-complany, they have to have programmers writing the codes for the same vulnerabil. again and again?

It seems, some of the scripts are from

here is my example:

Thank you.
Question by:Bitlab
LVL 66

Accepted Solution

btan earned 2000 total points
ID: 41816294
Latest version is 2.5 @
This is an open contribution from community, pls do not be too "perfectionaist" on the release packaging. In practice, the release ZAP will never keep to the latest adds-on version since it can be separately downloaded and updated . So do exercise due care to always get the latest version on the adds e.g.  
If you are using the latest version of ZAP then you can browse and download addons from within ZAP by clicking on this button in the toolbar:....You can also import add-ons you have downloaded manually via the "File / Load Add-on file..." menu option...

For add on, you can find more description summary on the main coverage scanner used below. The plugin are under the Active and Passive scan rules

- Active scanner rules @
- Passive scanner rules @
-fuzzDB @

Specifically on "plugin" to delve into its bolt and nuts , you can go to the source
- Active @
- Passive @

I do not see a documentation to combine the depth of description so far to my best knowledge, we stick we what is already best make available

For the attack scenario, see the 1b summary for the active and passive scan rule.

Taking XSS example, it is under Active scan with summary as below
Cross Site Scripting (reflected)

This rule starts by submitting a 'safe' value and analyzing all of the locations in which this value occurs in the response (if any). It then performs a series of attacks specifically targeted at the location in which each of the instances occurs, including tag attributes, URL attributes, attributes in tags which support src attributes, html comments etc.

Cross Site Scripting (persistent)

This rule starts by submitting a unique 'safe' value and then spiders the whole application to find all of the locations in which the value occurs. It then performs a series of attacks in the same way that the 'reflected' version does but in this case checks all of the target locations in other pages.
On the actual test executed, you are probably looking at the reflected attack test in below code and is referring to WASC #8 (Vulnerabilities.getVulnerability("wasc_8");)  - this is actually has XSS info @

All the threat attack is reference to The Web Application Security Consortium (WASC) Threat Classification.

The script is better illustrated in the code of XSS reflective testing (not easily readable but I see it will be on the help in tool, I did not delve into that) -

2/3/4 a.
Most goes for the alert report instead i.e. - reports-->generate alert report
Actually I cannot comments how good it is since it is added there to help as much but not perfect.
You can actually grab all of the alerts via the ZAP API in JSON and XML format.  If you enable the API (via the options) you can then access a URL like below to get all of the alerts reported on "" - "zap" is the hostname of your ZAP system:


But seems that there is new adds-on stated
The plugin can generate a report via the command line currently but not from the api, however i will be adding that support soon. I have been running tests and the minimum supported version is ZAP 2.5.0, however due to some bugs which got fixed in later weekly releases, i would recommend using weekly release 8-30-2016 or later.

The plugin can be found under marketplace titled as 'Export Report'. It is meant to act as a replacement, at least for me instead of the default xml and html reports since it allows for various fields such as who generated the report, the date and allows you to customize which alerts or details you deem important enough to generate.!topic/zaproxy-users/VTDkreb3wUY

I am thinking if search thru the community script to have that automated attacks scenario contributed and run it which you can see more details in the source codes
The easiest way to use this repo in ZAP is to install the 'Community Scripts' add-on from the ZAP Marketplace.

But the original one from FuzzDB has doc in its github that covers Attack Patterns, Response Analysis, and contributed cheatsheets and Documentation

No necessarily, the exchange and planting of exploit is same though but the payload may differs depending on the nature of the vulnerable appl or target. Metasploit has been a useful tool for exploitation testing. For FuzzDB, it did share and reuse payload too like this XSS instance
test.xxe - requested by some payloads from fuzzdb github repo raw filepath
xss-rsnake.fuzz.txt - rsnake's classic fuzzfile, modified to load test files
xss-other.fuzz.txt - newer payloads from various sources: my own testing, interesting filter bypassed found in the wild, etc.
xss-uri.fuzz.txt - URI abuse test cases
XSSPolyglot.fuzz.txt - from - check the page for filter evasions and other interesting stuff

Author Closing Comment

ID: 41825041
Thank you. My project is postponed due unrelated circumstances. Will return if need arises again.

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

To share tips on how to stay ALERT and avoid being the next victim - at least not due to your own poor cyber habits and hygiene!
Cloud computing is a model of provisioning IT services. By combining many servers into one large pool and providing virtual machines from that resource pool, it provides IT services that let customers acquire resources at any time and get rid of the…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (, a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question