Zed Attack Proxy (ZAP) is an open-source web application security scanner/proxy that can be used to find vulnerabilities. This blog post is about Zed Attack Proxy’s Scripting capabilities and how it can be very useful.
ZAP’s scripting feature allows a user to create a script in JavaScript or Zest to further improve ZAP Scanner capabilities. A user can write numerous scripts to work with ZAP’s active scanning, passive scanning, proxy and more. ZAP supports JavaScript and Zest scripts, but it also supports Jython and JRuby via the ZAP Marketplace.
I don’t use ZAP a lot but I like the scripting feature due to how quick and easy it is. This can be useful if a user runs into a specific problem during a web application test and needs a quick fix through scripting. E.g. If a user wants the ZAP passive scanner to analyze and report all Base64 encoded data. This can be done by writing a ZAP script and enabling it on the script console.
The script console tab itself can be used to write scripts which can be run within ZAP and also has a debug area which also displays error messages. It also provides a basic autocomplete feature which assists with the methods available associated to an object.
Lastly, here is a repo of ZAP Scripts written by the community. I’ve written a couple as part of the ZAP Community Scripts Competition. The competition results can be seen here:
Two of the scripts I wrote can be seen here:
ZAP Community Scripts Repo: Community Scripts
ZAP Development Wiki: ZAP Development