Zaproxy should be able to tell me how many pages that I have spidered are static, dynamic
and how many parameters the pages have. This will help when doing the initial scoping
and recon on a webapp.

Hello,

if possible add the option to have XML, HTML, and.or plain TXT as the report output.

Cheers,
Adrien

When scanning for XSS bugs, ZAP replaces the value in the parameter with the test string,
which in some cases breaks the logic of the webapp. You'll get a lot more results by
simply re-submitting it with the XSS tag appended to the parameter value (in my experience
at least).

Example:

 Original:
 site.com/index.php?q=lolcats&page=1

 ZAP:
 site.com/index.php?q=<script>alert("ZAP")</script>&page=1

 Desired behavior:
 site.com/index.php?q=lolcats<script>alert("ZAP")</script>

I've encountered a couple of web-apps where this has been a problem, and is causing
false negatives, because if I append an attack string onto it, it does indeed have
a XSS bug. 

Hi,

Could you tell me how to write or modify scanning rules myself?

Many of the libraries in the lib dir have not been changed since Paros, and are now
out of date.
This is a reminder to update them!

Psiinon

I've only looked at the source code for the SQL injection fingerprinting/detection a
bit, but in the past I've had a good amount of false positives with the SQL injection
detection.

It seems to me as though it simply appends "' OR 1=1" to the request parameter and
checks for the same page content. This WILL reveal the simple SQL injections, but it
might also give you false positives.

The way I've learned takes a couple more requests, but has almost no false positives.

1.) Scrape & hash the page
2.) append "' OR 1=1" (or any sql injection) to the parameter & hash that copy of the
page
3.) append a FALSE equivalent (ex. ' OR 1=2) to the parameter & hash that as well.
4.) Compare (1 & 2), then compare (2 & 3). If 1 == 2 but 2 != 3 then you have an injection,
otherwise have a false positive. 

You also have to deal with dynamic content, so you might need to grab the same page
twice and strip out the content not-dependant on the parameter as well to prevent false-positives.


I could be mistaken in my methodology, but I believe that's how sqlmap does it.

What steps will reproduce the problem?
1. Scan something that returns custom a 302 to a custom 404 error message.

What is the expected output? What do you see instead?
Lots of False positives, especially when it comes to default files.

What version of the product are you using? On what operating system?
1.0.0. OS doesn't matter.

Please provide any additional information below.

Due to some restrictions, I usually push all of my tool traffic through a server that
everyone knows is 'safe'. I usually use SSH tunnels for this sort of thing (ssh -D
$PORT $HOST), which creates a SOCKS5 proxy listening locally to $HOST. 

That way I can use proxychains to wrap anything I want through my proxy, but ZAP only
accepts http proxies, so I have a polipo instance running acting as a liaison between
my local SOCKS listener and ZAP. It'd be quite nice if ZAP could support SOCKS proxying!

Suboptimal configuration folder for ZAP running on Mac OS X 

ZAP version 1.1.0 now also available in Spanish.

Cheers!

Is there a way to restrict ZAP to only proxy specific domains? If possible, I'd like
to proxy only the domains that I'm currently testing, and let all other web traffic
pass through.

Sometimes I want to just sick the ZAP spider onto a site and let it crawl without having
to push the base-page through a proxy. 

A minor inconvenience, but it'd be nice to be able to give it a jump off point and
just have it spider from there without having to re-configure a proxy browser-side.

Hi psiinon,

I have created a Mac OS X application from the ZAP 1.0.0 Cross Platform Installation
file you provided. So the Mac Users can drop a single file into their /Applications
directory. Thats much more comfortable for them ;)

Regards,
Axel

Is it possible to add the ability for zaproxy to parse a WSDL and generate tests based
on the web service.

Had a 5 min coffee break and translated the properties file to German...

I prefer English for all applications on my machine, so the translation might not be
the best ;)

HF,
Axel

What steps will reproduce the problem?
1. Select Analyse, then Scan Policy
2. Scroll down to Miscelleneous


What is the expected output? What do you see instead?
expected: Miscellaneous 
result: Miscelleneous

What version of the product are you using? On what operating system?
1.0.0 on Linux (Red Hat)

Please provide any additional information below.
Very minor issue, but I thought I'd let you know

I would like to see a "scope" option that can be used for filtering etc.

The idea is to have an option "add to scope" when you right-click a host/URL in the
Sites-tab and have "use only in-scope items" and "show only in-scope items" options
on other locations in ZAP.

(for a better understanding: see how this works in Burp ;) )

Is it possible for zaproxy to have fully integrated SOAP support, making it easier to
test web services.

Hi,

I have translated Zaproxy in french based on this file :
http://code.google.com/p/zaproxy/source/browse/trunk/src/lang/Messages.properties

I added this comment :
#view.locale.fr_FR=Français
on line 356 

And I did not yet translated "Spider", because I am not sure/satisfied of the french
translation : "Collecter".

If a french speaker could read it, it would be perfect.

Please could you integrate it into Zaproxy ?

Thank you

Thomas P.

David has reported an issue with ZAP supplying multiple session cookies when session
tracking is turned on.
The target application didnt like it and he has unable to login.
Full details have been supplied via email.

Mac OS X menubar not working with Nimbus LAF. OSX native LAF should be used in order
to provide a proper integration into OSX.

Ryan has asked for the ability to invoke other tools from ZAP.

I like the idea - I think ZAP should be able to interact with other tools as much as
possible.

My plan is to add a "Run application" right click menu to the Sites and History tabs.
It will be up to the user to configure which applications to run - we wont know what
they have or want to run.
The configs will be accessible from the right click menu, and there will be the ability
to pass over context sensitive info like the host, port and url.

I say plan, its mostly implemented now ;)

Psiinon

Hi psiinon,

integrated the smartcard support we implemented in Andiparos. So ZAP is now able to
handle client certificates on smartcards/tokens too.

Needs to be tested. Will do some checks next week!

Cheers,
Axel

Messages_es_ES.properties updated.

certificates.pkcs11.drivers.title=PKCS#11 drivers
certificates.pkcs11.drivers.label.path=Ruta (Ruta de la DLL que da soporte para PKCS#11
- utilizada por el software de la smartcard)
certificates.pkcs11.drivers.label.name=Nombre
certificates.pkcs11.drivers.label.slot=Slot
certificates.pkcs11.drivers.button.browse=Ver
certificates.pkcs11.drivers.button.add=Añadir
certificates.pkcs11.drivers.button.delete=Eliminar
certificates.pkcs11.drivers.button.close=Cerrar
certificates.keystore.title=Almacén de claves (KeyStore)
certificates.keystore.button.activate=Activar
certificates.keystore.button.delete=Eliminar
certificates.pkcs12.title=PKCS#12
certificates.pkcs12.button.add=Añadir al keystore
certificates.pkcs12.button.browse=Ver
certificates.pkcs12.label.file=Fichero
certificates.pkcs12.label.password=Contraseña
certificates.pkcs11.title=PKCS#11
certificates.pkcs11.button.add=Añadir al almacén de claves (keystore)
certificates.pkcs11.label.driver=Driver
certificates.pkcs11.label.pincode=Código PIN
certificates.cryptoapi.title=CryptoAPI
certificates.helptext=<html><body><p> Añada su almacén de calves (keystore) y seleccione
el certificado deseado.</p><p>Esta configuration no será almacenada en las oscines
y necesitará ser restablecida la próxima vex que inicie ZAP.</p></body></html>
certificates.checkbox.enable=Usar certificado de cliente
certificates.label.active=Certificado Activo

Cheers!

Would be nice if there are two trap buttons in the menue bar.
One for Request and one for Response.

(like before in paros but locatet in the menu bar, so it is always accessible)

It should be easy for anyone that uses Perl, Ruby or Java to build their own custom
tool and leverage zaproxy via an API.

The memory size keeps increasing everytime you run the spider.

Found leak one in org.parosproxy.paros.db.TableHistory, need to check for more.

When scanning a large site, or a site that has a lot of pages in it, ZAP grabs *all*
of them, without a way to easily tell it to hop over that basepage, or any way to tell
it not to do that.

Ex:
http://site.com/page.php?id=1
http://site.com/page.php?id=2
http://site.com/page.php?id=3
http://site.com/page.php?id=4
http://site.com/page.php?id=5

ZAP would crawl all of these, which isn't useful in some cases. I've been stuck on
a few page sequences like this with no real solutionn (our library page for one which
catalog's our books). When searching for things like XSS bugs, you're checking for
parameter validation, and you aren't necessarily concerned with crawling /every/ page.

I wanted to run a spider on my full site, but the application froze before ending.
The site contains at least 500 pages. and on each pages, their are at least 10 URLs
(Page URL + Get parameters)

I am running last version of Zaproxy on Windows + Java 1.6-23

I know that kind of bug description doesn't usualy help debugging so if you need me
to run any other tests, give more details,... do not hesitate.

BTW, I am wondering why not using a more up to date version of the libraries (like
apache commons, HyperSQL, ...) ?

Thank you,

Thomas P.

What steps will reproduce the problem?
1. Download WebGoat from OWASP and setup the localhost environment.
2. Setup ZAP and open a new session to capture the list of URL's.
3. Open IE browser and type -> http://localhost:8080/webgoat/attack.

What is the expected output? What do you see instead?
* ZAP should have captured the requests from localhost; but no requests are captured
by ZAP while running WebGoat and ZAP on the same system. However, ZAP currently captures
all the requests made to any web hosted applications (example: OWASP.org; etc.)

What version of the product are you using? On what operating system?
* OWASP ZAP 1.1.0 on windows XP Operating System

Please provide any additional information below.
* Are there any specific settings to capture requests from localhost?
* Can we setup WebGoat and ZAP on the same machine and scan the application using ZAP
?

Thanks in advance,
Raghavendra Rao P.V.

I'd like ZAP to be able to perform security regression tests on web applications.
Setting up a test would go something like this:
* Explore the app using a browser proxying through ZAP
* Run the spider (optional)
* Brute force files and directories (optional)
* Fix any alerts, or mark them as false positives
* Save the session as a 'regression test'
When running a test, ZAP would:
* Repeat all of the requests
* Check the responses (coping with anti CSRF tokens etc;)
* Run the spider (optional)
* Brute force files and directories (optional)
* Active scan the app
* Report any new alerts, pages, changed responses etc
Other considerations:
* It should really be able to do this headless
* All reports should be available in XML
* Easy integration with JUnit/NUnit

So its a significant amount of work, but I think this could be really useful, and I'm
not aware of any other open source product that provides this (let me know if I'm wrong!).
Please update this issue with any thoughts / suggestions etc.

Psiinon

I can't seem to get it to run on Backtrack 4 RC1.

I get this output when running the .sh file provided:

root@bt:~/zap# ./zap.sh
: command not found
Exception in thread "main" java.lang.NoClassDefFoundError: org/zaproxy/zap/ZAP
Caused by: java.lang.ClassNotFoundException: org.zaproxy.zap.ZAP
        at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
.  Program will exit.in class: org.zaproxy.zap.ZAP

Hi Dobin,

Congratulations to your first commit. I really love to see the project growing.

Tested your Manual request editor. I like the option to choose the view of the editor.
However, when using the Horizontal view, the Window looks very crappy (under Mac OS
X). This is due to the size of the menubar. The amount of elements that are used in
the menubar heavily influences the size of the menubar, which also influences Window
view.

We should have a discussion about how to change the menubar to get rid of this problem.

Cheers,
Axel

ZAP should be capable of interacting with Firefox's Hackbar (https://addons.mozilla.org/en-US/firefox/addon/3899/).

E.g. send requests from ZAPs history to Hackbar

A common practice today is moving your sites & sub-domains into a unified web front,
for load-balancing ease.

Example:
directory.site.com   => site.com/directory
login.site.com       => site.com/login
gallery.site.com     => site.com/gallery

The problem is when ZAP sees the same origin domain, it assumes it's one big site (which
technically it is), but it'd be very helpful to be able to just spider site.com/directory,
because if you have links between say site.com/login and site.com/gallery it'll attempt
to spider both.

This eventually leads to spidering a huge portion (if not all) of the base-site just
to test the directory tree you're interested in. 

A common practice today is moving your sites & sub-domains into a unified web front,
for load-balancing ease.

Example:
directory.site.com   => site.com/directory
login.site.com       => site.com/login
gallery.site.com     => site.com/gallery

The problem is when ZAP sees the same origin domain, it assumes it's one big site (which
technically it is), but it'd be very helpful to be able to just spider site.com/directory,
because if you have links between say site.com/login and site.com/gallery it'll attempt
to spider both.

This eventually leads to spidering a huge portion of the base-site just to test the
directory tree you're interested in. 

I've received a request from Jay to enhance ZAP to allow a delay to be specified when
scanning apps.
This could be used to prevent ZAP overloading a target application.
It would, of course, increase the time the scan would take.

We currently use Hudson for continuous integration of our webapp (written in php). 
We also use Canoo WebTest to simulate a browser and run through test scripts (eg unit
tests, installing our app, upgrading from a previous version, etc).

Recently, we released a new version of our app that addressed multiple XSS issues.

So:
- What we'd like to do is test for regressions (using previously known attack vectors)
- scan for new vulnerabilities, perhaps aided by a sitemap (we can generate this using
reflection) and a list of parameters to fuzz
- report results back to the Hudson dashboard.

ZAP now also available in Spanish.

Cheers!

What steps will reproduce the problem?
1. Download the installer
2. tar xvf ZAP* && cd zap
3. java -jar zap.jar

What is the expected output? What do you see instead?


The gui would open, instead of opening I got this error:

Downloads/zap$ sudo java -jar zap.jar 
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/httpclient/protocol/ProtocolSocketFactory
Caused by: java.lang.ClassNotFoundException: org.apache.commons.httpclient.protocol.ProtocolSocketFactory
    at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
Could not find the main class: org.zaproxy.zap.ZAP. Program will exit.


What version of the product are you using? On what operating system?

1.0.0 Ubuntu 10.04


Please provide any additional information below.

What steps will reproduce the problem?
1. Spider a site with redirection
2. crawl redirected msg
3. Request is from orginal msg, Response is from redirected msg

What is the expected output? What do you see instead?
When this happens not only the HttpMessage is dishonest, saved  and shown on the site
tree that way, but all the crawled anchors of this message will have a base url of
the original message. Which is unusable!

What version of the product are you using? On what operating system?
Version 1.1.1

Please provide any additional information below.
I suggest, for the spider at least, To not follow redirects in the HttpSender, but
keep the redirect response intact, and handle it in the spider thread, by for e.g.
adding the redirect url to the spider queue.

The plan was to pick up the language files from the cwd so that they could be easily
added to an updated.
And if you put a new language file in the cwd it does appear in the relevant pull down
list.
Unfortunately it doesnt actually get used.
On non Windows platforms the files are picked up from the zap.jar file and on Windows
platforms this is built into the ZAP.exe

The language files should be picked up from a normal directory to make it much easier
to change them.

What steps will reproduce the problem?
1. Set a proxy server
2. Try to portscan the target
3. The scan will be started from the local system

ZAP does not work on Mac OS X. I will compile the code in the evening and give you more
detailed feedback.

<schnipp>
axel@flipsi zap $ java -jar zap.jar 
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/httpclient/protocol/ProtocolSocketFactory
Caused by: java.lang.ClassNotFoundException: org.apache.commons.httpclient.protocol.ProtocolSocketFactory
    at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
</schnipp>

Regards,
Axel

David has requested that ZAP be enhanced to allow user specified timeouts when dealing
with slow / remote applications.
Agree that would be very useful!

How about a robots.txt parser that grabs & spiders through the disallow entries as well?
I've found some very interesting things through doing that, and sometimes the entries
are even comments! [do'oh!]

I've also found that .DS_Store files (OSX metadata) are a great method to discover
other things I shouldn't be able to find, and in most cases they're just as good as
an open directory listing!

The only problem that I've encountered is that the format is basically a binary, with
no easy method to parse out the proper unicode strings.

I have a .DS_Store file that I pulled off a server during a pen-test up on my site
as an example (to test out parsing, etc) => http://talesofacoldadmin.com/random/DS_Store

Here's the file-format specification (reverse-engineered) => https://wiki.mozilla.org/DS_Store_File_Format

Basically you just need to search for unicode strings in that file though (as i found
out through a hex editor). But that introduces some other oddities with gnu strings.

--== START OUTPUT ==--
#(^_^)-(!13899)-(XXXXX@quixote)-(04:18:23)-(XXX.XXX.XXX.XXX)
#(~)
strings -e l ./DS_Store 
event
galler
galler
galler
galler
histor
image
image
scrip
scrip
scrip
style
style
style
        Template
        Template
video
video
scrip
scrip
scrip
style
style
style
        Template
        Template
video
video
--== END OUTPUT ==--

You can see it gets most of the 'good' strings, but chops off the last character. I
usually do this, then open the DS_Store file in a hex editor to find the last character.
Totally in-efficient but it works. I've been meaning to write a parser for it, as there
don't seem to be any *anywhere* that weren't written in applescript. 

Thoughts?

system info:
Fedora Core 12
Kernel Linux 2.6.32.21-168.fc12.i686.PAE
java version "1.6.0_18"
OpenJDK Runtime Environment (IcedTea6 1.8.1) (fedora-40.b18.fc12-i386)
OpenJDK Client VM (build 14.0-b16, mixed mode)


What steps will reproduce the problem?
1. Download the latest .tar.gz file (1.0.0b)
2. Untar the file in /usr/local
3. run > java -jar zap.jar

What is the expected output? What do you see instead?
I expect the GUI to pop up.

I get the following instead:

Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/httpclient/protocol/ProtocolSocketFactory
Caused by: java.lang.ClassNotFoundException: org.apache.commons.httpclient.protocol.ProtocolSocketFactory
    at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:321)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
    at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:334)
Could not find the main class: org.zaproxy.zap.ZAP. Program will exit.

What version of the product are you using? On what operating system?
See above.

Please provide any additional information below.

What steps will reproduce the problem?
1. Export report

What is the expected output? What do you see instead?
Either .html or .htm, not both

What version of the product are you using? On what operating system?
Latest on BT4 RC1

What steps will reproduce the problem?
1. Checkout project
2. Change to build directory
3. Execute ant compile

What is the expected output?
Buildfile: build.xml
     [echo] ClassPath=${dist.classpath}

init:
   [delete] Deleting directory /home/duartesilva/workspace/projects/zaproxy/build/build
    [mkdir] Created dir: /home/duartesilva/workspace/projects/zaproxy/build/build

compile:
    [javac] Compiling 324 source files to /home/duartesilva/workspace/projects/zaproxy/build/build
    [javac] Note: Some input files use or override a deprecated API.
    [javac] Note: Recompile with -Xlint:deprecation for details.
    [javac] Note: Some input files use unchecked or unsafe operations.
    [javac] Note: Recompile with -Xlint:unchecked for details.

BUILD SUCCESSFUL
Total time: 10 seconds

What do you see instead?
Buildfile: build.xml
     [echo] ClassPath=${dist.classpath}

init:
   [delete] Deleting directory /home/duartesilva/workspace/projects/zaproxy/build/build
    [mkdir] Created dir: /home/duartesilva/workspace/projects/zaproxy/build/build

compile:
    [javac] Compiling 324 source files to /home/duartesilva/workspace/projects/zaproxy/build/build
    [javac] /home/duartesilva/workspace/projects/zaproxy/src/org/parosproxy/paros/control/Control.java:43:
package org.zaproxy.zap.extension.params does not exist
    [javac] import org.zaproxy.zap.extension.params.ExtensionParams;
    [javac]                                        ^
    [javac] Note: Some input files use or override a deprecated API.
    [javac] Note: Recompile with -Xlint:deprecation for details.
    [javac] Note: Some input files use unchecked or unsafe operations.
    [javac] Note: Recompile with -Xlint:unchecked for details.
    [javac] 1 error

BUILD FAILED
/home/duartesilva/workspace/projects/zaproxy/build/build.xml:29: Compile failed; see
the compiler error output for details.

Total time: 7 seconds

What version of the product are you using? On what operating system?
Revision 172. Linux based.

Please provide any additional information below.
I made the fixes in order for it to build. Bellow is the diff of the changes.

Index: org/parosproxy/paros/control/Control.java
===================================================================
--- org/parosproxy/paros/control/Control.java   (revision 172)
+++ org/parosproxy/paros/control/Control.java   (working copy)
@@ -40,11 +40,11 @@
 import org.zaproxy.zap.extension.compare.ExtensionCompare;
 import org.zaproxy.zap.extension.encoder2.ExtensionEncoder2;
 import org.zaproxy.zap.extension.help.ExtensionHelp;
-import org.zaproxy.zap.extension.params.ExtensionParams;
+//import org.zaproxy.zap.extension.params.ExtensionParams;
 import org.zaproxy.zap.extension.portscan.ExtensionPortScan;
 import org.zaproxy.zap.extension.pscan.ExtensionPassiveScan;
 import org.zaproxy.zap.extension.search.ExtensionSearch;
-import org.zaproxy.zap.extension.test.ExtensionTest;
+//import org.zaproxy.zap.extension.test.ExtensionTest;


 /**

In talking to Psiinon we discussed the ability to provide custom XSS/SQL injection strings.


We also kicked around the idea of implementing rsnake's XSS DB 

=> http://ha.ckers.org/xss.html

and perhaps the ability to tell WHAT characters got transformed server-side, much like
the XSSMe firefox plugin does 

=> http://j.mp/i43GMO 

These are just a couple ideas I had though, and they require much more input & thought
before they become a reality. 

Suggestions for improvement on these would be greatly appreciated! ^_^