Tambahkan target anda aplikasi untuk Konteks menggunakan 'right click' menu: 'Termasuk dalam Konteks'.
Hal ini memungkinkan anda memberitahu ZAP lebih lanjut tentang target, seperti otentikasi, pengguna dan teknologi yang digunakannya.
Klik pada 'gear' ikon di sisi kanan dari banyak tab untuk akses cepat pengaturan untuk fitur itu.
Apakah anda menggunakan aplikasi anti CSRF token?
Pastikan anda telah mengkonfigurasi ZAP untuk menangani mereka melalui 'Options / Active Scan' layar.
Jika anda mendapatkan terlalu banyak positif palsu mencoba mengubah ambang batas untuk memindai aturan untuk Tinggi.
Tetapi juga melaporkan masalah kepada kami melalui ZAP Grup Pengguna atau Masalah sehingga kami dapat menyelidiki hal-hal yang keduanya terkait mati 'Online' menu
Menginstal Pensiun add-on dari ZAP Pasar untuk mendeteksi tidak aman versi JavaScript perpustakaan menggunakan database dari Retire.js.
Instal Add-on SAML dari ZAP Marketplace untuk mendeteksi, menampilkan, mengedit dan menghapus permintaan SAML.
Menginstal accessControl add-on dari ZAP Pasar untuk mengotomatisasi pengujian aplikasi anda kontrol akses.
Menginstal versi beta aktif dan pasif scan aturan untuk menemukan lebih banyak potensi masalah.
Ada juga alpha aktif dan pasif scan aturan tapi jelas mereka mungkin kurang stabil.
Menginstal urutan add-on dari ZAP Pasar untuk memindai halaman yang harus dikunjungi dalam urutan tertentu untuk fungsionalitas penuh untuk dapat diakses.
Manual isi indikator - Halaman yang ditemukan oleh laba-laba dan memaksa browser yang ditandai di Situs pohon dengan ikon yang relevan. Ikon ini menghilang ketika anda mengunjungi halaman tersebut secara manual.
Baru ke ZAP?
Download panduan 'Memulai dengan ZAP' dari ZAP Marketplace.
Permintaan POST memiliki menu 'klik kanan' untuk menghasilkan formulir tes CSRF
Klik kanan di mana saja.
Sorot teks dan klik kanan.
Banyak fungsi ZAP sensitif konteks seperti yang diakses dengan cara ini.
Menyimpan ZAP sesi di mulai dari tes daripada di akhir sesi disimpan dalam db yang akan diperbarui sepanjang waktu sehingga anda tidak harus menyimpannya lagi.
The 'Show / enable' fields 'lightbulb' button on the main toolbar will make hidden fields visible and allow you to edit disabled fields.
The Search tab allows you to find string in Fuzz results - it supports regex expressions and inverse matching.
The majority of ZAP's tabs are now hidden by default so that the UI is less cluttered.
You can show and hide all of the tabs via buttons on the main toolbar.
You can also 'pin' any tab you like so that it stays visible even after a restart.
There are a large number of fuzzing files available in the ZAP Marketplace in the 'Directory List *', 'Fuzzdb files' and 'SVN Digger files' add-ons.
There are lots of resources linked off the 'Online' menu, including the ZAP Homepage, User and Developer groups
There is a repository of ZAP scripts at https://github.com/zaproxy/community-scripts
If you clone a local copy then you can add all of them to ZAP via the Scripts Option pane.
You can also upload your own scripts via pull requests - the more the better!
Try different UI layouts via the buttons on the main toolbar.
Use keyboard shortcuts to speed up your testing - you can define your own combinations via 'Options / Keyboard' which also generates printable shortcut cheatsheets.
Want to chat to someone about ZAP?
Many of the ZAP core developers hang out on the Libera Chat #zaproxy irc channel: https://web.libera.chat/#zaproxy
Want to script ZAP in a scripting language other than Java Script and Zest?
Check the ZAP Marketplace for other languages like python and ruby.
If your preferred scripting language isnt yet available then get in touch - its fairly easy to add support for other languages.
You can change the syntax highlighting used for the Request, Response and Script Console tabs via the 'right click' 'Syntax' menus.
You can compare 2 requests or responses by selecting them both, 'right clicking' and selecting one of the 'Compare 2..' menu items.
You can export all of the URLs recorded by ZAP using the top level menu: "Report / Export All URLs to a File..."
You can import URLs contained in a text file using the importurls add-on available on the ZAP Marketplace
You can invoke 3rd party tools like sqlmap and nmap from within ZAP, passing across a wide range of contextual information.
Just configure the applications you want to invoke in the "Options / Applications" screen.
You can reorder table columns by dragging and dropping them.
You can also select which columns are show via the icon just above the scroll bar on the right hand side of each table.
You can search for text in any text area, including the Request and Response tabs, using the 'right click' 'Find...' menu.
You can tell ZAP to access an app using a specified user.
To do that you need to add your app to a Context and then define the authentication and user details.
You can tell ZAP to load all of the scripts in a set of directories via the Scripts Option page.
See the help for details of the directory structure.
ZAP can automatically check for updates - turn it on via the 'Options / Check for Updates' screen.
If you dont want it to happen automatically then make sure you manually check for updates frequently via the 'Manage Add-ons' main toolbar button as we continually add new features and fix issues.
ZAP can display, intercept and even fuzz client side messages including postMessages - 'right click' a subtree in the Sites tree and select a suitable submenu under 'Monitor clients'.
Force a browser refresh and your open pages will be displayed in the 'Clients' tab along with all of the client side messages they generate.
ZAP has comprehensive help pages accessible via the 'Help / ZAP User Guide' menu.
The F1 key will also bring up the help pages and take you straight to the relevant section for the selected tab.
Zest scripts are a great way to automate tasks.
Zest is ZAP's graphical macro language, but provides programming features like conditionals and loops.
Use the 'Record a new Zest script...' button on the main toolbar to quickly record a new Zest script.
You can also 'right click' requests to add them to Zest scripts.