ZAP Settings: Local Proxy Settings

ZAP Tools Options... Local Proxy

Configure the proxy host (e.g. 127.0.0.1) and the proxy port (e.g. 9090).

ZAP Settings: Database Settings

ZAP Tools Options... Database

1. Compact

   Required: The database needs to be compacted of there will be issues with the closing and opening of large session files.

2. Recovery Log
   
   • Checked by default, keep as is.
3. Database Size Vs. Available Memory
   

   • Increase the Java Heap Memory that the application is allowed to use. The amount you should allocate is: <MAX_AVAILABLE_RAM> - 2GB. This can be done by jvmopts in zap.bat.

   Notice: This is important and directly correlated to your database size. Due to a bug/feature/constraint with ZAP, it is only able to cleanly close your session's that are a maximum of 2GB less than you <ALLOCATED_RAM>. I have allocated 16GB of RAM to ZAP for use, ZAP can only cleanly close a session of 14GB. This means that you should have a one context to one session relationship.

ZAP Settings: Dynamic SSL Certificates Export

So, you've setup ZAP and are routing your browser's traffic through it and are ready to do some digging, but every time you hit a site, you get an annoying SSL Security Exception (Untrusted Connection) error and when you view the certificate, it is the OWASP ZAP Certificate.

You can of course, add the site to the exception list every single time but if you don't want to be annoyed by the constant SSL Exception Error prompts by your browser, you will need to add the OWASP ZAP Certificate to your list of certificates and recognize it as a Root CA.

ZAP Tools Options... Dynamic SSL Certificates

1. Generate
   
   • Click on Generate if you don't see a certificate or if it's old and about to expire soon.
2. Save
   
   • Click on Save to export the certificate.
3. OK