OWASP ZAP not showing requests to images in history view
I'm investigating some strange behavior in a web application where something is generating requests that shouldn't be there. Since the principal action triggering these requests opens a new browser window, browser built-in network debugging capabilities do not help. I'd like, for now, to just view the raw requests going over the wire. So, I've installed OWASP ZAP to use it as a local proxy.
To my surprise, it looks like OWASP ZAP does not show any requests to images in the "History" tab. The requests I'm after, are of course requests to images. How can I enable logging of these requests?
Turns out OWASP ZAP has a global switch which controls processing of image requests, and it is disabled by default. Also, I couldn't find anything in the documentation pointing to this fact. The option in question can be found here - go to:
Tools > Options > Display > Process images in HTTP requests/responses
Update: Should you be wondering why, in the History view, the IDs of requests are (still) not continuous - this is due to ZAP creating invisible "internal requests", see here for more details.
- OWASP ZAP not cleaning up after itself
- Use of a broken or risky cryptographic algorithm encryption algorithm. base64EncodedString should not be used
- What is "X-Content-Type-Options=nosniff"?
- HTML-Entity escaping to prevent XSS
- ModSecurity WAF log configuration
- Why is it common to put CSRF prevention tokens in cookies?
- Hello, how to solve Permission denied Error while trying to generate OWASP ZAP report using Full Scan Docker image
- Writing exclude configs for dependancy check
- Hydra with OWASP juice-shop
- Zap proxy converts Http requests to Https
- How to run security check on Angular project or how to run OWASP dependency check for Angular Project
- What are the differences between API IO and Web App IO? (OWASP's top 10s)
- Postman unable sending to OWASP ZAP with the same proxy configuration
- How to create "unsafe" environment for JavaScript XSS testing
- Bicep code to deploy WAF policy for Azure Application gateway
- How can i integrate OWASP ZAP with Cypress to run both together and get the Zap test Result and Owasp Zap result at the same time?
- OWASP ZAP Scan tool doesn't support requests in XML format
- Allowing "//" in URL.Any Security Standards for URL Definition?
- How to login and scan with OWASP Zap
- Options for token storage and refresh in SPAs
- ZAP baseline scan doesn't generate report
- iOS certificate pinning with Swift and NSURLSession
- OWASP ZAP baseline scan returns unexpected error 1 in CI/CD pipeline
- How to force specific version of a transitive dependency (netty-codec-http) in gradle?
- Cross-Site Request Forgery Prevention: using a cookie for the Synchronizer Token Pattern
- OWASP sanitizer generates unexpected results
- OWASP Dependency check, how to use suppressions
- OWASP/ZAP dangling when trying to scan
- Dependency-Track is forgetting suppressions on vulnerabilities
- How to run OWASP Dependency Check for an Angular project?