How to define our own ZAP active rule?

Question

we want to use ZAP to scan our site vulnerability issues

is there any way to define our own active rule for our business..?

for example, we want to check is there any javascript post any data to the sites that are not in the white list ...?

so, maybe we can implement this feature in ZAP addons, but how to create our own ZAP addon...?

Answer 1

we want to check is there any javascript post any data to the sites that are not in the white list ...?

That would be a passive rule not an active.

You can create either as a script, there are templates that come with ZAP. You can also find community examples here: https://github.com/zaproxy/community-scripts

There is also a set of blog posts that can help you:

• https://www.zaproxy.org/blog/2014-04-03-hacking-zap-3-passive-scan-rules/
• https://www.zaproxy.org/blog/2014-04-30-hacking-zap-4-active-scan-rules/
• https://medium.com/@omerlh/how-to-scripting-owasp-zap-with-javascript-1c1898b1e7e0

Active Scan vs Passive Scan:

• Passive scan rules look at traffic as it passes through ZAP (proxied, or spidered, optionally Fuzzed) without making any requests themselves.
• Active scan rules run during Active scanning and do make requests by altering request parameters/details to elicit certain types of responses or behaviors.