Using the HUD with ZAP in Docker

You can use the HUD with ZAP running in Docker, for example for extra security or so that you don't need to install Java locally.

To do this you need to run ZAP with the following options:

docker run -u zap -p 9090:9090 -i owasp/zap2docker-weekly zap.sh -daemon -host 0.0.0.0 -port 9090 \
-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config -config api.key=CHANGE_ME \
-config hud.enabledForDaemon=true

You can change the port 9090 to a different one if you like but you must change it in all 3 places as well as in the instructions below. You should also change the example API key from "CHANGE_ME" ;)

ZAP will run in daemon mode in Docker.

To configure your browser (Firefox or Chrome) to use it as a proxy:

• Open http://localhost:9090/UI/core/other/rootcert/ in your browser
• Enter the API key you set when starting ZAP and click on the rootcert button
• Save the certificate file locally
• Import that certificate file into your browser as a trusted root cert
• Configure your browser to proxy via localhost:9090

When you open new URLs in this browser you should see the HUD enabled.

Note that you will need to be able to access the URLs that you want to test from the Docker image. Localhost in your browser is not the same as localhost in the Docker image.

Its also worth noting that ZAP will create a new root CA cert every time you create a new Docker image, so you will need to import the cert into your browser again.

Links for further information:

• How can I connect to ZAP remotely?
• Why is an API key required by default?