Skip to content

Document DAST useful ZAP configuration values

Problem to solve

DAST uses ZAProxy to run scans. When DAST starts, the ZAProxy server is started. At this point, configuration values are passed to the server. Configuration properties can be configured using the -z"-config [value]" DAST command line interface option.

We have had support requests recently about how to perform certain actions in DAST, where the solution has been using one of the aforementioned config parameters. The intention of this issue is to collate some of those useful parameters, and document them so that other users can easily find the information that they need.

How do we determine what configuration parameters are available, and what they represent?

  1. The first step is to determine if what you're looking to do can be done in ZAP. This should be verified using the ZAP UI. If something cannot be configured in the ZAP UI, in all likelihood it will not be able to be configured using the command line.

  2. You will then need to look in the source code. This could either be in the zaproxy or the zap-extensions codebase, depending on what you're looking to configure.

  3. Find the [Feature]Param class. There is typically a [FEATURE]_BASE_KEY constant which has the name of the base key. From there you can see other constants with names of configuration values. You will need to read the code to confirm how these constants are used, but typically the configuration value is a concatenation of the base key and other constants. For example, AntiCsrfParam defines ANTI_CSRF_BASE_KEY:anticsrf, ALL_TOKENS_KEY:[base-key].tokens.token and TOKEN_NAME_KEY:name. You can deduce from this that you can pass z'-config anticsrf.tokens.token.name=_token' into DAST.

  4. Verify the config parameter works. You can do this by making sure the log file logs the parameter when DAST runs. It can also be helpful to run in debug.

Reference: https://github.com/zaproxy/zaproxy/wiki/FAQconfigValues

Proposal

  • Comment are added to this issue as we find more useful -config parameters to use
  • When there are enough to warrant documentation we create a new page outlining these values
  • Document how to pass more than one configuration value through at a time