Disclaimer: I love open source and I adore the owasp for what they do.

BUT owasp zap has to be the most overly complicated, badly documented tool in existence. As long as one stays within its most basic functions everything is fine, setting it up as a proxy and even issuing a root cert for our test devices worked wonderfully simple.

Then I made the mistake to try to actually do anything with the data we pulled and had to dive into the scripting console.

The documentation basically consists only of "This thing exists", it provides a msg object with no information what it contains or how it's structured, has no code completion and, here comes the kicker, if the script is run and has an error it gets flagged and can't be reenabled after the error is fixed. So I'm currently at forwarder48.groovy trying to simply store the request on a database for possible diagnostics.

So right now I already know that I'll spend most of my vacation next week trying to decipher the source, document it, fix that damn "flagged as error" bullshit and jump through a billion hoops trying to get a pull request through.

  • 0
    I'll keep this in mind since I'll definitely have to use this in the future!
  • 1
    @linuxxx As long as you stay away from the scripting interface it's actually quite nice, accidentally found 4 unsafe input reflections in our api while trying to set it up as a simple proxy. If you try to extend it with custom scripts though, you will suffer.
Add Comment