dast-zap
使用 OWASP ZAP 掃描 Web 應用程式中的漏洞
Web 應用程式和 API 通常含有手動測試會遺漏的安全漏洞。此技能使用 OWASP ZAP 自動化全面安全掃描,偵測 XSS、SQL 注入和身份驗證缺陷等問題。產生對應 OWASP Top 10 和 CWE 的詳細報告以符合合規要求。
Descargar el ZIP de la skill
Subir en Claude
Ve a Configuración → Capacidades → Skills → Subir skill
Activa y empieza a usar
Pruébalo
Usando "dast-zap". Scan https://staging.example.com with baseline scan
Resultado esperado:
- Baseline scan completed
- High risk findings: 0
- Medium risk findings: 3
- Low risk findings: 7
- Report saved to: baseline-report.html
- Key issues found: Missing X-Frame-Options header, Cookie without Secure flag, Server information disclosure
Usando "dast-zap". Scan API with OpenAPI spec and bearer token
Resultado esperado:
- API scan completed
- Total endpoints tested: 45
- High risk findings: 1 (SQL Injection in /users/{id})
- Medium risk findings: 5
- SARIF report uploaded to GitHub Security tab
- CWE mappings: CWE-89 (SQLi), CWE-79 (XSS)
Auditoría de seguridad
Riesgo bajoLegitimate DAST security testing skill using official OWASP ZAP tooling. Contains documentation, configuration templates, and CI/CD workflows for vulnerability scanning. All 465 static findings are false positives - the patterns detected are expected behaviors for security testing documentation (shell commands for running scanners, URLs in documentation, and security terminology explaining vulnerabilities). No malicious intent detected.
Factores de riesgo
⚙️ Comandos externos (1)
🌐 Acceso a red (1)
📁 Acceso al sistema de archivos (1)
Puntuación de calidad
Lo que puedes crear
CI/CD 安全閘門
使用 GitHub Actions 或 GitLab CI 將自動化安全掃描加入部署流程
API 漏洞測試
使用 OpenAPI 規格掃描 REST 和 GraphQL API,以找出注入缺陷和授權問題
快速安全檢查
在開發期間執行基準掃描,及早發現安全問題,避免它們進入正式環境
Prueba estos prompts
Run an OWASP ZAP baseline scan against https://staging.example.com and generate a report at ./zap-report.html
Scan our API at https://api.example.com using the OpenAPI specification at ./openapi.yaml. Include authentication using the bearer token from environment variable API_TOKEN and generate JSON and HTML reports.
Run an authenticated scan against https://app.example.com using form-based authentication. The login page is at https://app.example.com/login, username is testuser, and password is in environment variable SCAN_PASSWORD.
Create a GitHub Actions workflow file for OWASP ZAP scanning that runs on pull requests, fails if high-risk findings are detected, and uploads SARIF results to the GitHub Security tab
Mejores prácticas
- 在掃描任何非您擁有的系統之前,請務必取得書面授權
- 每次提交時使用基準掃描,僅在預備環境中執行完整的主動掃描
- 千萬不要將憑證硬編碼;請使用環境變數或密碼管理
- 在建立安全票證之前,請手動驗證主動掃描的發現結果
Evitar
- 未經批准就對正式環境執行主動掃描
- 在掃描配置或指令碼中包含真實憑證
- 不經調查就忽略誤報率
- 將掃描結果作為應用程式安全性的唯一衡量標準