ZAPit

Quick Start add-on supports the following Command Line option to perform a quick ‘reconnaissance’ scan of the URL specified.

You can specify multiple URLs by specifying the option multiple times:

-zapit https://www.example1.com -zapit http://example2.com/ -cmd

The -cmd option must be specified, if it is not then the -zapit option will be ignored.

If you do not specify a URL beginning with either http:// or https:// then ZAP will scan both of those schemes.

The ZAPit Scan will start a new ZAP session before it performs a scan, so do not start ZAP with a session that you want to keep.

The ZAPit scan currently:

Makes one request to the target URL
Reports key details about all of the requests and responses made (e.g. due to redirects)
Reports any technology found by the Technology Detection add-on (if installed)
Reports a summary of the alerts found
Reports some stats from the root URL

Example output:

ZAPit scan of https://www.example.com
Requests:
	https://www.example.com
		Request took 325 msec
		Response code 200 (OK)
		Response body size 1,256 bytes
		No request cookies
		No response cookies
Technology:
	Amazon ECS
	Amazon Web Services
	Azure
	Azure CDN
	Docker
Number of alerts: 9
	Medium: Content Security Policy (CSP) Header Not Set : ""
	Medium: Missing Anti-clickjacking Header : "x-frame-options"
	Low: Permissions Policy Header Not Set : ""
	Low: Server Leaks Version Information via "Server" HTTP Response Header Field : "ECS (dcb/7EC9)"
	Low: Strict-Transport-Security Header Not Set : ""
	Low: X-Content-Type-Options Header Missing : "x-content-type-options"
	Informational: Re-examine Cache-control Directives : "max-age=604800"
	Informational: Retrieved from Cache : "HIT"
	Informational: Storable and Cacheable Content : "max-age=604800"
Root page stats:
	Content type: text/html; charset=UTF-8
	Number of HTML tags: 24
	Number of HTML links: 1
	Number of HTML forms: 0
	Number of HTML input fields: 0

This feature is at an early stage and more enhancements are planned.

ZAPit

See also