Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

Version 1.1.0 Documentation

 

To ensure that you are viewing the correct documentation, the title of this Informational box should reflect the most recent version of the ZAP Jenkins Plugin.

 Latest Release

 


ZAP Settings: Local Proxy Settings

ZAP Tools Options... Local Proxy

(info) Configure the proxy host (e.g. 127.0.0.1) and the proxy port (e.g. 9090).

The host and port set here should be the SAME set in Firefox and in the ZAP Jenkins plugin.

Notice: This should be the IP address of the Slave (the machine where ZAP security tool is installed).

 


ZAP Settings: Database Settings

ZAP Tools Options... Database

  1. Compact

    Required: The database needs to be compacted of there will be issues with the closing and opening of large session files.

  2. Recovery Log
    • Checked by default, keep as is.
  3. Database Size Vs. Available Memory
    • Increase the Java Heap Memory that the application is allowed to use. The amount you should allocate is: <MAX_AVAILABLE_RAM> - 2GB. This can be done by jvmopts in zap.bat.

    Notice: This is important and directly correlated to your database size. Due to a bug/feature/constraint with ZAP, it is only able to cleanly close your session's that are a maximum of 2GB less than you <ALLOCATED_RAM>. I have allocated 16GB of RAM to ZAP for use, ZAP can only cleanly close a session of 14GB. This means that you should have a one context to one session relationship.

 


ZAP Settings: Dynamic SSL Certificates Export

So, you've setup ZAP and are routing your browser's traffic through it and are ready to do some digging, but every time you hit a site, you get an annoying SSL Security Exception (Untrusted Connection) error and when you view the certificate, it is the OWASP ZAP Certificate.

You can of course, add the site to the exception list every single time but if you don't want to be annoyed by the constant SSL Exception Error prompts by your browser, you will need to add the OWASP ZAP Certificate to your list of certificates and recognize it as a Root CA.

Notice: Please be careful when manually adding certificates to your browser as it could be a huge security risk if you put in a key that is shared with other people or from an unknown source.

ZAP Tools Options... Dynamic SSL Certificates

  1. Generate
    • Click on Generate if you don't see a certificate or if it's old and about to expire soon.
  2. Save
    • Click on Save to export the certificate.
  3. OK

Once you successfully generated and exported a ZAP SSL certificate, you need to import the certificate into Firefox.

  • No labels