Script Security

ZAP has as very powerful scripting capability, and supports the following scripting languages:

For more details on ZAP’s security posture see the FAQ: What is ZAP’s assurance case?

Script Capabilities

As noted on the Script Console page:

⚠️ Warning

Scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!

All scripts can call other scripts and any command line tools that are accessible to them based on OS permissions. Scripts can access any online services unless restricted by firewalls or similar. Scripts can typically access the Java runtime which gives them the same access to the filestore as ZAP.

The one exception is Zest - this cannot run command line tools except via other scripts and cannot directly access arbitrary JVM features.

ZAP Scripts

All of the script add-ons define templates in the relevant languages.

Various ZAP add-ons and packages include scripts:

All scripts included in ZAP add-ons and packages have been reviewed by at least 2 of the Core Team and none of them should allow arbitrary code execution.

User Defined Scripts

Users can add scripts to ZAP in a variety of ways:

  • Command Line
    • It is possible to add and run arbitrary scripts from the command line.
    • Anyone able to start ZAP from the command line is treated as a super user.
  • Desktop GUI
    • The desktop GUI has full access to the ZAP scripting framework.
    • Desktop users are treated as super users.
  • API
    • It is possible to add and run arbitrary scripts via the API.
    • Anyone with API access is treated as a super user.
    • By default the API is protected by a key, and access to the API from remote machines is disabled.
  • Automation Framework plans
    • AF plans can include inline scripts written in any of the languages supported by ZAP.

RCE via API token disclosure and API script method “load”

In 2017 a researcher found that by default we leaked the ZAP API key via the “Generate Anti CSRF Test Form”. They were then able to load and run a script in ZAP via a publicly mounted Windows drive. ZAP only loaded “local” scripts as a security measure, but we did not take into account that a publicly mounted Windows drive would appear to be a local drive in Java.

The following set of security fixes were implemented in 2.6.0 to address this vulnerability:

  • By default requiring API keys on all operations
  • By default not reporting permission errors via the API
  • Supporting nonces which are tied to specific API calls, and can be time limited
  • Allowing API keys and nonces to be supplied via headers

It should be noted that non Zest scripts will still be able to load and run scripts from publicly mounted remote drives.