Reputation: 1
Provide ZAP test data
I'm looking to improve the accuracy and confidence in my ZAP scanning. It's attacking a site with the following example structure:
<URL>/api/people/<adultName>/children/<childName>
In this example, valid data for childName is obviously dependent on the adultName. When attacking with ZAP, the only URLs that get generated are variants of:
localhost/api/people/adultName/children/childName
It would be ideal if I could provide ZAP working examples for adultName/childName so it can test scenarios when the data is correct, i.e bypassing the 400 based error code and testing other parts of the application.
I can mark paths as DDN but there doesn't seem to be a way of providing the test data to go along with it. With login credentials, you can provide explict username/password combinations, but it feels strange that I can't with other URL based data. What am I missing?
Upvotes: -1
Views: 46
Answers (1)
Reputation: 6216
Theres an easy way to provide ZAP with tesrt data, just proxy requests with that data in through ZAP :) You can proxy unit tests through ZAP is you have them - they are usually a good source of test data.
Upvotes: 1
Related Questions
- Can we test injection attacks in API parameters with Zap?
- Owasp ZAP - test result still show informational ouput
- Scanning APIs with ZAP Docker image - How to provide Bearer Token?
- ZAP scanning using different function test tools
- How to add ZAP alert through ZAP python api?
- False positive SQL Injection by ZAP in Spring MVC
- Testing Session Management with ZAP