Community - Tips and Tricks
We’ve established a community area to publish people’s Tips and Tricks for using ZAP and its add-ons. Please feel free to open PRs with your best ideas.
Inspiration
Inspired by burp-match-replace and a few related tweets, I created the first bit of content: Match and Replace ZAP.
Initial Content
That first contribution covers a bunch of things that can be done with ZAP’s Replacer add-on, including but not limited to:
- Finding hidden buttons, forms, and other UI elements
- Changing false to true
- Bypassing WAFs (by adding various headers)
- Finding IDOR or XSS
- Finding various CVEs
The entries include descriptions, screenshots, and standalone JavaScript snippets which will populate the related Replacer rules (in a disabled state).