Skip to content

DevExtending

thc202 edited this page Jun 14, 2021 · 9 revisions
Clone this wiki locally

Extending ZAP

There are various ways you can extend ZAP, as documented below.

Note that this is just an overview, there are some basic working examples in the ZAP Extensions project which will be added to in the future.

If you have any questions then please ask them on the zaproxy-develop Google Group.

Auto tag regexs

You can get ZAP to automatically tag requests and responses via:

Tools / Options... / Passive Scan / "Add / Edit scan definition"

Invoking other applications

You can invoke other applications from ZAP passing across the context information.

For more details see the Options Application screen in the User Guide.

Custom Fuzzing files

You can add your own fuzzing files by via:

Tools / Options... / Fuzzer / Add custom Fuzz file

Custom Forced Browse files

You can add your own forced browse files by via:

Tools / Options... / Forced Browse / Add custom Forced Browse file

API

The REST based API allows 'external' applications to access ZAP data and to invoke ZAP functionality.

Full API documentation is now available at https://www.zaproxy.org/docs/api/

Active Scan Rules

Active Scan rules find potential vulnerabilities by attacking the target application.

New Active Scan rules should be added to ascanrulesAlpha add-on.

Active scan rules are loaded from the respective add-ons found in the plugin directory.

Passive Scan Rules

Passive Scan rules find potential vulnerabilities just by examining the requests and responses in a background thread. They should not make any changes.

New Passive Scan rules should be added to pscanrulesAlpha add-on package.

Passive scan rules are loaded from the respective add-ons found in the plugin directory.

Extensions

Full extensions can add functionality to ZAP, including new tabs, pop windows, menu items etc.

For more details see ZAP Extensions