Security/Automation/Winter Of Security 2016/ZAP Form Handling

From MozillaWiki
Jump to: navigation, search
WinterOfSecurity logo light horizontal.png



Our team is comprised of three enthusiastic Information Technology students who attend Arizona State University's Polytechnic Campus. All of us have a focus area in Network Administration and Security, and an interest to learn about all different aspects of the IT industry. As part of our Senior Capstone course we are required to pick a project that spans two semesters, that will demonstrate our collective abilities which we have learned throughout our time in ASU’s program. As a group, we have elected to focus on a security related topic which led us to find Mozilla’s Winter of Security program.


  • Ryan Wehe
  • Christopher Laguna
  • Rian Franey
  • Professors: Damien Doheny and Dr. Usha Jagannathan
  • Mozilla Advisor: Simon Bennetts



The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.

The project enhancement would allow the user to define default values based on pattern matching against the field names and/or ids.

Success Criteria

This project is successful if:

  • User able to specify default values for all forms used by the ZAP spiders
  • Display all of the forms and fields for an application and allow the user to update the default values to be used
  • Full support for defining default values via the API

Timeframe: March 2017.


Biweekly Update Ending 2016-MM-DD

Week One (2016-10-17)

  • Set up ZAP environment.
  • Successfully made changes to default values used by the ZAP spiders
  • Becoming familiar with ZAP's coding

Week Three (2016-10-31)

  • Built a simple Spider
  • Became familiar with HTML parsing and form handling
  • Created a value generator interface

Week Five (2016-11-14)

  • Successfully passed form field information into the value generator as a parameter
  • Restructuring the form field information into a map "field attributes" for the value generator
  • Working on building a map for the form attributes for the form generator
  • Addressed errors in the testing files

Week Seven (2016-11-28)

  • SpiderHtmlFormParserUnitTest now works with DefaultValueGenerator
  • Converted text, password, and file to type string for case insensitive comparison in DefaultValueGenerator
  • Removed duplicate, unused code from
  • Currently working on first squash commit

Updates in 2017

January - March

  • First Pull Request accepted and merged into the ZAProxy(2.6)
  • Continuing on development of Add-On in the ZAP-extensions project for second pull request