Computers, Programming, Technology, Music, Literature

Archive for the ‘OWASP ZAP’ Category

OWASP ZAP: Global Exclude URL (Beta) – bug and fix

leave a comment »

As you proxy your browser traffic through OWASP ZAP, chances are that you are annoyed by noise.  That is by default browsers these days make a lot of requests to update version, update cache, addons update and what not. It get’s really difficult to focus on the website at hand when you have other sites cluttering your Sites and History tab.

The Global Exclude URL functionality was supposed to work and it did work partially.

There was a minor bug and that was fixed.  A screen recording of the bug and the bug fix url below:

Global Exclude URL (beta) – after close and reopen does not pick up added regex for excluding URLs #3275




Written by gmaran23

March 22, 2017 at 2:08 am

OWASP ZAP Development – Fixing the Can’t find bundle for base name lang.Messages error

leave a comment »


I have been generating the API files for OWASP ZAP DOT NET API since the inception. There is the core zaproxy project that has the class. And there is the extensions project, including the beta and alpha.


Now, when I tried to generate the ‘non-optional’, i.e., the core API files for .Net, everything would work fine, the API files would be generated as below.



OWASP ZAP is internationalized, so the source code comes with a bunch of resource bundles with supporting language files.

When you try to generate the API files for the extensions project, you get this wonderful error message.

Exception in thread "main" java.util.MissingResourceException: Can’t find bundle for base name lang.Messages, locale en at java.util.ResourceBundle.throwMissingResourceException( at java.util.ResourceBundle.getBundleImpl( at java.util.ResourceBundle.getBundle( at org.zaproxy.zap.extension.api.AbstractAPIGenerator.( at org.zaproxy.zap.extension.api.JavaAPIGenerator.( at org.zaproxy.zap.extension.ApiGenerator.main(



I have fixed this error message before when I was trying to generate the api files back in 2015. Running in debug mode and stepping through pointed out that the zaproxy core project had the resource files under a directory that was not available to the extensions project.

This error was gruesome.

In the end all I had to do was copy the contents of the workspaceowaspzap\zaproxy\src\lang directory to workspaceowaspzap\zap-extensions\bin\lang

That’s it. Do the same thing for the alpha, and beta extensions’ bin directory too.



Cheers. Try the OWASP ZAP DOT NET API available at

Written by gmaran23

March 22, 2017 at 1:46 am

Downloading and Building OWASP ZAP source from Github using Eclipse IDE

with one comment


Download this blog as PDF – 


This is a quick and dirty blog for those that are new to Eclipse IDE and want to try tweaking the OWASP Zed Attack Proxy’s code. I must say that that you might stumble upon this well written guide titled “Building OWASP ZAP Using Eclipse IDE for Java… Pen-Testers” here - . First time I was trying to build ZAP with Eclipse this guide was my complete reference. However, OWASP ZAP’s code was recently move to GitHub in the month of May-June 2015 rendering that guide obsolete and my OWASP ZAP Eclipse workspace – connected to google code SVN – a little defunct. Raul Siles, the author of the above guide would update it for changes with respect to the GitHub move.

Recently I was trying to download OWASP ZAP’s code from GitHub and build it because the existing code from SVN (google code) went obsolete. I am not an advanced Eclipse user or Java developer and I was a little lost trying to clone the new OWASP ZAP GitHub repo to my Eclipse. As I was trying, I took screenshots and ended up posted in this blog. Remember, this blog is not a step by step instruction, but it is a quick and dirty steps (5 major steps) to get OWASP ZAP’s code running in your Eclipse IDE.

Glimpse through the articles titled

  1. Building OWASP ZAP Using Eclipse IDE for Java… Pen-Testers
  2. Building ZAP (,
  3. Downloading and Building OWASP ZAP source from Github using Eclipse IDE (this article)

and I am sure you’d get ZAP running on your Eclipse IDE.


Download Eclipse

…  from If you are confused which edition to download, pick the Eclipse IDE for Java Developers



When you open Eclipse for the first time choose the default workspace and proceed. If you’d like create a workspace such as workspaceowaspzap like I did. Refer to Raul Siles guide for workspace screenshots.

Make sure you have EGit plugin installed. If you are a prime time command liner with Git you may not need this plugin.

If you have downloaded Eclipse from Eclipse for Java Developers, then please ensure in the Eclipse Installation Details you have the below three components highlighted

  1. Eclipse Git Team Provider
  2. Java Implementation of Git
  3. Mylyn Versions Connector: Git

At the time of this writing Eclipse IDE for Java Developers comes with all required plugins to work with Git ( and hence GitHub)



Add a Git Perspective

… to view Git Repositories and stuff..bla bla

Hit the Open Perspective button at the right top corner 


Choose Git at the Open Perspective Dialog


Hit OK to view the Git Repositories view.


Tip: From time to time you could hit the Java perspective to view the Java related tools and views, you could hit the Git perspective to view your Git Repositories.



If you look at the workspace that we choose when opening Eclipse, in Windows Explorer now it just has one folder named .metadata. Time to download the code from 




Downloading the OWASP ZAP’s code

Choose File –> Import


Select Team –> Team Project Set. Hit Next.


In the Team Project Set Dialog, Input the Url – 
and hit Finish.


Tip: Always refer to the recent project set Url available at




Wait for the ZAP projects to be downloaded and built

Watch the progress as the Git Repositories view would show projects as and when they are downloaded


Once all the ZAP projects are downloaded, your workspace the Git Repositories view should look like below. The approximate size of the workspace with all the ZAP coded summed up to 2.27 GB for me (on July 4 2015).



Run ZAP’s source and start playing (and contributing)

Switch to the Java perspective


In the Package Explorer, right click zaproxy and choose Run As –> Java Application


Eclipse would search for the Main types. In the Select Java Application dialog choose ZAP and hit OK


Witness the Console Logs


Start ZAPping



Tip: You can also start ZAP by hitting the play button in Eclipse


If you encounter any problems, try fixing it yourself first – spend a day or two Winking smile, as a last resort – post at the ZAP Developer group here –!forum/zaproxy-develop

Written by gmaran23

July 5, 2015 at 1:25 pm

OWASP ZAP Demonstration at OWASP Bangalore/Null meet on 22 Nov 2014

leave a comment »


The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. Originally a fork of the Paros Proxy project, ZAP targets a wide range of software professionals right from a software developer to a penetration tester working on any platform that supports Java. Equipped with a myriad a features and support for custom addons, ZAP is fully documented in an easy to understand language.

We would see a demonstration of how to set up and how to use it all.
Marudhamaran Gunasekaran

Starts at Saturday November 22 2014, 12:15 PM. The sessions runs for about 1 hour.

Written by gmaran23

June 1, 2015 at 10:33 pm

Practical Security Testing For Developers Using OWASP ZAP at Dot Net Bangalore 3rd meet up on Feb 21 2015

leave a comment »




Title Practical Security Testing for Developers using OWASP ZAP
Abstract Every time an application faces the world wide web, it inherently becomes vulnerable to attacks. The attackers could be script kiddies, joyriders, turning from hobbyists to downright hostile. The earlier in the development cycle you find the vulnerabilities, the better they are to fix and test. OWASP ZAP is a free and open source penetration testing tool for finding vulnerabilities in web applications; widely used by security professionals, it is also ideal for anyone new to web application security and includes features specifically aimed at developers. This session shows/demonstrates some attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.
Gist See live attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.
Speaker Marudhamaran Gunasekaran
Time & Venue 21 Feb 2015 @ Dot Net Bangalore 2nd meet up

OWASP ZAP : Workaround – Html Report from APIs daemon mode

leave a comment »


Ok, may be the title is a bit misleading. The below post is going to show you a few workarounds that you can use to generate (or mimic) a html report when running OWASP ZAP automated in a headless mode.

Zed Attack Proxy (ZAP), as of version 2.3.1 stable release, provides options to generate an Xml report and an html report for the alerts found. We could get these two reports from the UI via the Report menu.

Use case:

One of the unique features of ZAP is the REST API that aids in automating scans. When running ZAP in daemon mode and pivoting ZAP from the REST APIs, there is a number of ways to harvest the alerts identified by ZAP.

Here’s a couple of them:

  1. alerts based on id (http://localhost:7070/UI/core/view/alert/)
  2. alerts for the baseurl (http://localhost:7070/UI/core/view/alerts/)
  3. xmlreport (http://localhost:7070/UI/core/other/xmlreport/) [Same as clicking Report –> Generate Xml Report…]

Using the API and your favorite programming language, you could very well gather the alerts and decide what you want to do with it.


One convenience is just pulling a html report out of the scan and mail the application owners or ourselves so they could be fixed. There is an enhancement request open in the projects page –

Until the feature is available in the next stable release, I decided to love with a couple of workarounds. There is a workaround in python, there is also a workaround in an exe format (written in C#). They are not perfect in terms of formatting, but they are close enough to the original html report generated through the ZAP UI.


Download from here –


Workaround #1:

A python script to inject an xslt stylesheet into the xml report file generated through the API. Use the sample function to insert the sample (ZapReport.xslt) into the xml file generated. Needless to say that the ZapReport.xslt and the xmlreportfile should be in the same location.

If needed to email the xml report, we can zip the xml report with the xslt file, so when unzipped the xslt file resides in the same location as the xml file.

When the xml file is opened in Firefox, or IE –> see the formatting in action! (Does not work in chrome though Sad smile)

import io

def InsertXSLTSheetIntoXmlReport(xmlreportfile, xsltfile, xmlreportfileout):
    texttofind = '<?xml version="1.0" encoding="UTF-8"?>'
    texttoreplace = '<?xml version="1.0" encoding="UTF-8"?><?xml-stylesheet type="text/xsl" href="{0}" ?>'.format(xsltfile)
    with, 'r', encoding="utf8") as f:
        xmlreport =
    xmlreportstyleinserted = xmlreport.replace(texttofind, texttoreplace)
    with, 'w', encoding="utf8") as f:

InsertXSLTSheetIntoXmlReport('SampleOWASPZAPReport.xml', 'ZapReport.xslt', 'SampleOWASPZAPReport-Mod.xml')


There is also another xslt template available from


Workaround #2:

Use the command line program named XmlToHtmlWithXSLT.exe (requires .Net 4.0) as below to obtain a html report as output.

XmlToHtmlWithXSLT.exe SampleOWASPZAPReport.xml ZapReport.xslt converted.html


If you don’t have .Net 4.0, use the source below to recompile to any .Net version.

using System;
using System.IO;
using System.Text;
using System.Xml;
using System.Xml.Xsl;

namespace XmlToHtmlWithXSLT
    class Program
        static void Main(string[] args)
            string inputXmlFileName = args[0];
            string xsltfile = args[1];
            string outputHtmlFileName = args[2];

            XslCompiledTransform transform = LoadXsltTransform(xsltfile);

            StringWriter transformedToHtml = ApplyXsltTransform(inputXmlFileName, transform);

            WriteHtmlToFile(outputHtmlFileName, transformedToHtml);


        private static XslCompiledTransform LoadXsltTransform(string xsltfile)
            XslCompiledTransform transform = new XslCompiledTransform();
            using (XmlReader reader = XmlReader.Create(xsltfile, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
            return transform;

        private static StringWriter ApplyXsltTransform(string inputXmlFileName, XslCompiledTransform transform)
            StringWriter transformedToHtml = new StringWriter();
            using (XmlReader reader = XmlReader.Create(inputXmlFileName, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
                transform.Transform(reader, null, transformedToHtml);
            return transformedToHtml;

        private static void WriteHtmlToFile(string outputHtmlFileName, StringWriter transformedToHtml)
            using (StreamWriter outputFileStream = new StreamWriter(new FileStream(outputHtmlFileName, FileMode.Create)))

        private static void PrintStatus(string outputHtmlFileName)
            Console.WriteLine("Output Written to {0}", outputHtmlFileName);


Untill, the enhancement request ( is completed, these are some workarounds that I personally could live with, may be you can too, for your automating needs Winking smile.

Worth looking at –

Written by gmaran23

January 13, 2015 at 9:52 pm

Plug-n-Hack and ZAP: manually changed proxy settings after initial pnh configuration

with one comment


Plug-n-Hack introduces and proposes new standards to integrate security tools with the browsers, enabling communication between them. OWASP ZAP has inbuilt support for Plug-n-Hack (pnh) which allows you to configure Firefox to change it’s proxy settings so that OWASP ZAP could watch the FireFox traffic.

Configuration is a child’s play. Point your browser to the ZAP proxy address, follow instructions, and you are done. Just like the gif image below.

Plug-n-Hack and Zap

This changes Firefox to use a proxy configuration provided via the http://localhost:7070/proxy.pac file.


All works.

But, out of curiosity if you went and changed the FireFox proxy settings to No Proxy or Auto-detect proxy settings for this network or Use system proxy settings then the FireFox traffic would not be proxied through ZAP which is expected, Right? That works just fine.

However, when you want Firefox traffic to be proxied through ZAP again, you would copy paste the ZAP proxy address (http://localhost:7070/pnh) in Firefox again, and Firefox would then say A provider with this name has already been configured


What is your expectation now?

I don’t know, as a user my expectation when I pasted the http://localhost:7070/pnh url in Firefox is that it should configure my Browser to route it’s traffic via ZAP. But that does not happen.

How to fix?

You can override the proxy settings yourself. Or you could actually use pnh to clear and remove a configuration and then point Firefox to http://localhost:7070/pnh

Shift + F2 in Firefox and then two commands for you:


pnh config clear ‘OWASP ZAP’

pnh config remove ‘OWASP ZAP’




Written by gmaran23

November 19, 2014 at 6:13 pm