Skip to main content

DeepTraQ + ZAP – Key Limitations and Considerations

1. CSRF Token Handling (ZAP Limitation)

ZAP has limited support for CSRF tokens when:

  • Tokens are not present in hidden input fields
  • Tokens are generated dynamically via JavaScript
  • Tokens are fetched via separate API calls
  • Tokens are injected through headers

Impact:

  • Authentication may fail for modern applications using dynamic CSRF mechanisms

2. Complex Authentication Flows (ZAP Limitation)

ZAP faces challenges handling:

  • Multi-Factor Authentication (MFA)
  • Multi-step or chained authentication flows
  • Dynamic session/token exchanges

Impact:

  • Automated authentication may not work reliably for complex applications

3. Cookie / Token Injection (DeepTraQ Workaround)

To handle limitations in complex authentication:

DeepTraQ allows:

  • Direct injection of cookies or tokens via YAML configuration
  • Skipping login flow entirely

Behavior:

  • ZAP is instructed to ignore login
  • Pre-authenticated tokens are used for all requests

Requirement:

  • A pollUrl must be configured
  • Should be a GET request returning HTTP 200
  • Used to validate whether injected tokens are working

4. Header Handling (ZAP Limitation)

ZAP cannot automatically detect all required headers.

Impact:

  • Missing headers (e.g., tenant-specific or custom headers) may cause authentication failure
  • Even valid credentials may fail without required headers

Workaround:

  • Manually define headers in configuration
  • Validate using curl or browser network traffic

5. Crawling Authenticated Applications (ZAP Limitation)

ZAP may not reliably crawl:

  • Single Page Applications (SPAs)
  • Applications with dynamic routing
  • Multi-step authenticated workflows

Impact:

  • Incomplete scan coverage

Workaround:

  • Upload HAR file captured after login
  • Ensures all authenticated requests are included in scanning

6. Browser-Based Authentication (Best Practice)

When using browser-based authentication:

Recommendations:

  • Use pollUrl with loggedInRegex for verification
  • Avoid relying only on auto-detection

Reason:

  • Auto-detection is unreliable in complex applications
  • Backend API responses may not be properly evaluated

7. Entry URL Behavior (ZAP Behavior)

Authentication reporting depends on the first URL in entryUrls.

Behavior:

  • Reports are generated relative to the first URL

Implications:

  • If frontend URL is first but verification happens on backend:

    • Reports may incorrectly show authentication failure

Guidelines:

  • Use backend URL first if backend is on a different domain
  • Use frontend URL first for browser-based authentication
  • Use backend URL for JSON-based authentication

8. JSON Authentication Constraints (ZAP Limitation)

For API / JSON-based authentication:

Requirements:

  • Correct backend URL must be used
  • Token extraction must be accurate (e.g., authentication.token)
  • Headers must be constructed properly (e.g., adding Bearer prefix if required)

Impact:

  • Misconfiguration leads to false authentication failures

9. Regex-Based Verification (ZAP Limitation)

ZAP relies on loggedInRegex for authentication validation.

Limitations:

  • Does not work when response body is empty (e.g., HTTP 302)
  • Requires unique and stable patterns
  • Auto-detection is unreliable

Best Practice:

  • Use pollUrl with:

    • GET request
    • HTTP 200 response
    • Unique keyword

10. YAML Abstraction (DeepTraQ Limitation)

DeepTraQ uses a simplified YAML format.

Limitation:

  • Does not expose full flexibility of ZAP Automation Framework

Workaround:

  • Upload full ZAP automation YAML directly for advanced use cases

11. Scripting Constraints (DeepTraQ Limitation)

DeepTraQ does not support uploading external script files.

Supported:

  • Inline scripts only

Impact:

  • Increased complexity in script management
  • Reduced reusability

Example inline script:

jobs:

  • name: injectHeadersScript type: script parameters: action: add type: httpsender engine: Graal.js name: AddHeaders inline: | // ZAP HTTP Sender Script // Type: httpsender // Engine: Graal.js

    function sendingRequest(msg, initiator, helper) {
        // Inject headers into all requests
        msg.getRequestHeader().setHeader("customer-name", "Example");
        msg.getRequestHeader().setHeader("tenant-id", "100");
        msg.getRequestHeader().setHeader("login-id", "user-01-test");
    }

    function responseReceived(msg, initiator, helper) {
        // Do nothing
    }

Summary

ZAP Limitations

  • CSRF token handling
  • Complex authentication (MFA, dynamic flows)
  • Header auto-detection
  • Crawling authenticated applications
  • JSON authentication sensitivity
  • Regex-based verification

DeepTraQ Limitations

  • Simplified YAML abstraction
  • No external script support

DeepTraQ Workarounds

  • Token/cookie injection
  • HAR file upload
  • Inline scripting

Best Practices

  • Use pollUrl with loggedInRegex
  • Choose correct entry URL order
  • Validate requests using network traffic or curl