Feedback

[psiinon]

Delighted to see this - its something I'd like to have done myself but have never had the time ;) I've just referenced it on the ZAP Dev group: https://groups.google.com/d/msg/zaproxy-develop/IFXWbmRcnDo/Pe_ykWFZBwAJ I think this has huge potential - how can we help you make the ZAP integration even better?

[ejohn20]

@polyhedraltech might be able to explain this better, but we did run into an issue with the API and http sessions. I think by default in v2.4 (which is where we did most of our testing) http sessions were not enabled. This caused issues when starting ZAP in headless mode and trying to spider & scan a site that had pages which required AuthN.

[polyhedraltech]

@ejohn20 is correct, the API that allows interaction with the ZAP sessions didn't really seem to function properly. Even when a call was made to persist a session and load it on a subsequent start of ZAP, it didn't seem to save anything. It wasn't a major issue for the first release of the plugin as we were mainly targeting a quick anonymous scan of a website, but I think the most helpful API changes would include:

1. Improved ZAP session management.
2. Simplifying the process of providing authentication information through the API. I know that's a pretty wide-open requirement as there are so many ways that applications handle authentication, but being able to run a scan using an authenticated user would be great.

Thanks for reaching out! I ran into some issues where ZAP would crash under certain conditions, but never got around to reporting them. When I start working on the next set of enhancements, I'll be sure to reach out if/when I ever run into any problems.