-
Add-ons
- Access Control Testing
-
Active Scan Rules
-
Active Scan Rules - Alpha
-
Active Scan Rules - Beta
-
Advanced SQLInjection Add-on
- AJAX Spider
- Alert Filters
- All In One Notes
-
AMF Support
- Authentication Helper
-
Authentication Statistics
-
Automation Framework
- Automation Framework - About
- Automation Framework - authentication
- Automation Framework - Environment
- Automation Framework - GUI
- Automation Framework - addOns Job
- Automation Framework - activeScan Job
- Automation Framework - delay Job
- Automation Framework - passiveScan-config Job
- Automation Framework - passiveScan-wait Job
- Automation Framework - requestor Job
- Automation Framework - spider Job
- Automation Framework - Options
- Automation Framework - Alert Job Test
- Automation Framework - Monitor Job Test
- Automation Framework - Statistics Job Test
- Automation Framework - URL Presence Job Tests
- Automation Framework - Job Tests
-
Bean Shell Console
-
BIRT Reports
-
Browser View
-
Bug Tracker
-
Call Graph
-
Call Home
- Client Side Integration
-
Code Dx
-
Collection: Pentester Pack
-
Collection: Scan Rules Pack
-
Common Library
-
Community Scripts
- Custom Payloads
-
Custom Report
-
Database Add-on
-
Dev Add-On
-
Diff
-
Directory List v1.0
-
Directory List v2.3
-
Directory List v2.3 LC
- DOM XSS Active Scan Rule
- Encode / Decode / Hash dialog
-
Eval Villain
-
Export Report
- Forced Browse
-
Form Handler
-
Fuzz AI Files
-
FuzzDB Files
-
FuzzDB Offensive
-
FuzzDB Web Backdoors
- Fuzzing
-
Getting Started Guide
-
GraalVM JavaScript
- GraphQL Support
- Groovy Support
- gRPC Support
-
Highlighter
-
HTTPS Info
- The HUD
- Import/Export
-
Import URLs
- Invoke Applications
-
JSON View
-
Kotlin Support
-
Linux WebDrivers
-
Log File Importer
-
MacOS WebDrivers
-
Neonmarker
- Network Add-on
- Out-of-band Application Security Testing Support
-
Online Menu
- OpenAPI Support
- Parameter Digger
-
Passive Scan Rules
-
Passive Scan Rules - Alpha
-
Passive Scan Rules - Beta
- Passive Scanner Add-on
- Plug-n-Hack
- Port Scan
- Postman Support
- Python Scripting
- Quick Start
-
Regular Expression Tester
- Replacer
-
Report Alert Generator
-
Report Generation
- Report Generation - About
- Report Generation API
- Report Generation Automation Framework Support
- Creating Reports
- High Level Report Sample
- Modern HTML Report with themes and options
- Risk and Confidence HTML
- SARIF JSON Report
- Traditional HTML with Requests and Responses
- Traditional HTML
- Traditional JSON Report with Requests and Responses
- Traditional JSON Report
- Traditional Markdown Report
- Traditional PDF
- Traditional XML Report with Requests and Responses
- Traditional XML Report
- Report Templates
- Requester Add-on
- Retest
-
Retire.js
-
Reveal
-
Revisit
-
Ruby Scripting
-
SAML Support
-
Save Raw Message
-
Save XML Message
- Script Console
- Selenium
-
Sequence Scanner
- Server-Sent Events
- SOAP Support
- Spider
-
SVN Digger Files
- Technology Detection
-
Tips and Tricks
-
TLS Debug
- Token Generation and Analysis
-
TreeTools
-
Value Generator
-
ViewState
- WebSockets
-
Windows WebDrivers
-
Zest
-
Releases
- Release 1.0.0
- Release 1.1.0
- Release 1.2.0
- Release 1.3.0
- Release 1.3.1
- Release 1.3.2
- Release 1.3.3
- Release 1.3.4
- Release 1.4.0
- Release 1.4.1
- Release 2.0.0
- Release 2.1.0
- Release 2.10.0
- Release 2.11.0
- Release 2.11.1
- Release 2.12.0
- Release 2.13.0
- Release 2.14.0
- Release 2.15.0
- Release 2.2.0
- Release 2.2.1
- Release 2.2.2
- Release 2.3.0
- Release 2.3.1
- Release 2.4.0
- Release 2.4.1
- Release 2.4.2
- Release 2.4.3
- Release 2.5.0
- Release 2.6.0
- Release 2.7.0
- Release 2.8.0
- Release 2.9.0
-
Getting Started
- Scanner Rules
-
Features
- Add-ons
- Alerts
- Anti CSRF Handling
- API
- Active Scan
- Authentication
- Authentication Methods
- Authentication Verification Strategies
- Breakpoints
- Callbacks
- Contexts
- Custom Page
- Data Driven Content
- Globally Excluded URLs
- HTTP Sessions
- Manipulator-in-the-middle Proxy
- Marketplace
- Modes
- Notes
- Passive Scan
- Software Bill of Materials
- Scan Policy
- Scope
- Scripts
- Session Management
- Sites Tree
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- A Basic Penetration Test
- Configuring Proxies
-
Desktop UI Overview
-
Dialogs
- Add Alert dialog
- Add/Edit Breakpoint dialog
- Add Note dialog
- Active Scan dialog
- Encode / Decode / Hash dialog
- Find dialog
- History Filter dialog
- Manual Request Editor dialog
- Manage Add-ons
- Manage History Tags dialog
-
Options dialog
- Options Alerts screen
- Options Anti CRSF screen
- Options API screen
- Options Active Scan screen
- Options Active Scan Input Vectors screen
- Options Breakpoints screen
- Options Callback Address screen
- Options Client Certificate screen
- Options Check for Updates screen
- Options Connection screen
- Options Database screen
- Dynamic SSL Certificates
- Options Extensions screen
- Options Global Exclude URL screen
- Options HTTP Sessions screen
- Options JVM screen
- Options Keyboard screen
- Options language screen
- Options Local Proxies screen
- Options Passive Scan Tags screen
- Options Passive Scanner Screen
- Options Passive Scan Rules Screen
- Options Rule Configuration screen
- Options Scripts screen
- Options Search screen
- Options Spider screen
- Options Statistics screen
- Options Display screen
- Persist Session dialog
- Scan Policy Dialog
- Scan Policy Manager dialog
- Scan Progress Dialog
- Session Properties dialog
- Spider dialog
- Footer
- The Tabs
- Top Level Menu
- Top Level Toolbar
- Views
-
Dialogs
History tab
The History tab shows a list of all of the requests in the order in which they were made.
For each request you can see:
| The request index - each request is numbered, starting at 1 | |
| The HTML method, e.g. GET or POST | |
| The URL requested | |
| The HTTP response code | |
| A short summary of what the HTTP response code means | |
| The length of time the whole request took | |
| Any Alerts on the request | |
| Any Notes you have added to request | |
| Any Tags on the request |
Selecting a requests will display it in the Request tab and Response tab above.
The filter toolbar
A filter toolbar is provided which allows you to restrict which requests are displayed.
Clicking on the 
Filter button displays the History Filter dialog.
A summary of the filter currently applied is displayed to the right of the button.
Right click menu
Right clicking on a node will bring up a menu which will allow you to:
Attack
The Attack menu has the following submenus:
Active Scan…
This will launch the Active Scan dialog which allows you to initiate an active scan with the starting point set to the request you selected.
Spider…
This will launch the Spider dialog which allows you to initiate the spider with the starting point set to the request you selected.
Include in Context
This menu allows you to include the selected nodes and all of their subordinates in the specified context.
You also have the option to create a new context.
The Session Contexts dialog will be displayed to allow you to make any additional changes.
Exclude from Context
This menu allows you to exclude the selected nodes and all of their subordinates from the specified context.
The Session Contexts dialog will be displayed to allow you to make any additional changes.
Flag as context
This menu has the following submenus for each of the contexts you have defined:
Context name Form-based Auth Login request
This identifies the specified node as a login request for the specified context.
You may only have one node identified as such in any one context.
The Session Context Authentication screen will be displayed to allow you to make any additional changes.
Context name JSON-based Auth Login request
This identifies the specified node as a login request for the specified context.
You may only have one node identified as such in any one context.
The Session Context Authentication screen will be displayed to allow you to make any additional changes.
Context name Data driven node
This identifies the specified node as Data driven content for the specified context.
The Session Context Structure screen will be displayed to allow you to make any additional changes.
Exclude from
This menu has the following submenus:
Proxy
This will exclude the selected nodes from the proxy. They will still be proxied via ZAP but will not be shown in any of the tabs.
This can be used to ignore URLs that you know are not relevant to the system you are currently testing.
The nodes can be included again via the Session Properties dialog
Scanner
This will prevent the selected nodes from being actively scanned.
The nodes can be included again via the Session Properties dialog
Spider
This will prevent the selected nodes from being spidered.
The nodes can be included again via the Session Properties dialog
Manage History Tags…
This will bring up the Manage History Tags dialog which allows you to change the tags associated with the request.
Jump to History ID…
This will bring up a dialog prompting for the ID (number) of a history entry you wish to jump to. If the entered ID value is not a visible history item then the nearest ID above the entry will be displayed, if it is beyond the end of the list then the last item in the table will be displayed. Also accessible via CTRL + ALT + J.
Note…
This will bring up the Add Note dialog which allows you to record notes related to the request.
Delete
This will remove the node and all of its children from ZAP.
However they can be added back in, to prevent this use the ‘Exclude from’ menus.
Break…
This will bring up the Add Breakpoint dialog which allows you to set a breakpoint on that URL.
Alerts for this node
If the URL selected has alerts associated with it then they will be listed under this menu.
Selecting one of the alerts will cause it to be displayed.
New Alert…
This will bring up the Add Alert dialog which allows you to manually record a new alert against this request.
Show in Sites tab
This will show the selected message in the Sites tab.
Open URL in Browser
This will open the URL of the selected node in your default browser.
Generate anti CSRF test form
This will open a URL which will give you a generated form for testing for CSRF issues.
It will only be enabled for POST requests, if the API is enabled and if Java supports the opening of URLs in a browser on your platform.
See also
| UI Overview | for an overview of the user interface |