I am using ZAP in my security testing project. its really help me a lot. but I face a problem that I and our project manager also want to know, "our login request is a POST request. than why zap showing a security vulnerability of login request by changeing the name Post to GET request at the summary report?
0
votes
1 Answers
1
votes
The fact that ZAP has reported a potential vulnerability on a page with a GET request is not at all surprising. In this case the ZAP spider was used - this will request all of the links it finds using a GET request and only make POST requests when it finds suitable forms. Whether the specific vulnerability should really have been reported on a POST request is impossible to say without more information.
For more info see the discussion on the ZAP User Group: https://groups.google.com/d/msg/zaproxy-users/TGrlqPFc7FI/wSqi9wFrCgAJ
