Document DAST useful ZAP configuration values
Problem to solve
DAST uses ZAProxy to run scans. When DAST starts, the ZAProxy server is started. At this point, configuration values are passed to the server. Configuration properties can be configured using the
-z"-config [value]" DAST command line interface option.
We have had support requests recently about how to perform certain actions in DAST, where the solution has been using one of the aforementioned config parameters. The intention of this issue is to collate some of those useful parameters, and document them so that other users can easily find the information that they need.
How do we determine what configuration parameters are available, and what they represent?
The first step is to determine if what you're looking to do can be done in ZAP. This should be verified using the ZAP UI. If something cannot be configured in the ZAP UI, in all likelihood it will not be able to be configured using the command line.
[Feature]Paramclass. There is typically a
[FEATURE]_BASE_KEYconstant which has the name of the base key. From there you can see other constants with names of configuration values. You will need to read the code to confirm how these constants are used, but typically the configuration value is a concatenation of the base key and other constants. For example,
TOKEN_NAME_KEY:name. You can deduce from this that you can pass
z'-config anticsrf.tokens.token.name=_token'into DAST.
Verify the config parameter works. You can do this by making sure the log file logs the parameter when DAST runs. It can also be helpful to run in debug.
- Comment are added to this issue as we find more useful
-configparameters to use
- When there are enough to warrant documentation we create a new page outlining these values
- Document how to pass more than one configuration value through at a time