Document DAST useful ZAP configuration values
Problem to solve
DAST uses ZAProxy to run scans. When DAST starts, the ZAProxy server is started. At this point, configuration values are passed to the server. Configuration properties can be configured using the -z"-config [value]"
DAST command line interface option.
We have had support requests recently about how to perform certain actions in DAST, where the solution has been using one of the aforementioned config parameters. The intention of this issue is to collate some of those useful parameters, and document them so that other users can easily find the information that they need.
How do we determine what configuration parameters are available, and what they represent?
-
The first step is to determine if what you're looking to do can be done in ZAP. This should be verified using the ZAP UI. If something cannot be configured in the ZAP UI, in all likelihood it will not be able to be configured using the command line.
-
You will then need to look in the source code. This could either be in the zaproxy or the zap-extensions codebase, depending on what you're looking to configure.
-
Find the
[Feature]Param
class. There is typically a[FEATURE]_BASE_KEY
constant which has the name of the base key. From there you can see other constants with names of configuration values. You will need to read the code to confirm how these constants are used, but typically the configuration value is a concatenation of the base key and other constants. For example,AntiCsrfParam
definesANTI_CSRF_BASE_KEY:anticsrf
,ALL_TOKENS_KEY:[base-key].tokens.token
andTOKEN_NAME_KEY:name
. You can deduce from this that you can passz'-config anticsrf.tokens.token.name=_token'
into DAST. -
Verify the config parameter works. You can do this by making sure the log file logs the parameter when DAST runs. It can also be helpful to run in debug.
Reference: https://github.com/zaproxy/zaproxy/wiki/FAQconfigValues
Proposal
- Comment are added to this issue as we find more useful
-config
parameters to use - When there are enough to warrant documentation we create a new page outlining these values
- Document how to pass more than one configuration value through at a time