How well protected are your web services? Many #Salesforce ISVs miss this critical step in the security approval process and as a result have to go back to the drawing board before getting their app on the #AppExchange.

ZAP (Zed Attack Proxy) is one such open source tool used for integrated testing done by developers.  An easy to use and simple tool, it offers automated scanners and a set of tools which allow you to find security vulnerabilities manually.

The installation set-up steps are provided in the Salesforce security website:https://security.secure.force.com/security/tools/webapp/zapbrowsersetup

Below are the important features:

Quick start:

It offers you an easy way to quickly test a REST API URL.  Simply enter the URL of your target application and click the ‘Attack’ button.  Example, here I have used SDL Language cloud REST API URL (https://lc-api.sdl.com/languages), which is used to fetch all the langauge pairs used for language translation.

Sites Tab:

It shows all of the URLs visited in the Quick Start/browser.  In this case it shows the SDL language cloud URL which we have used in the Quick Start section.

Break Tab:

If we want to dynamically change the request data values then, the breakpoint allows you to change a request or response when it has been caught by ZAP via a breakpoint.

In this case we have added extra header “Authorization: LC apiKey=xyz123” to authenticate with SDL language cloud.

Request Tab:

It shows the request data sent by you to the requested API URL. In this case we can see the request data sent to the SDL Language cloud.

Response Tab:

It shows the data sent to us by the requested API URL. In this case we can see the response data sent to us by the SDL language cloud.

Alert tab:

It shows the Alerts that have been raised in the testing. For the each Alert node there is Risk parameter which conveys RISK level:  High/Medium/Low.

We can double click an alert to change RISK/Confidence parameters value.

Below are the alerts of details our testing with SDL API URL (https://lc-api.sdl.com/languages).

History Tab:

It shows a list of all requests in the order which they were made. For every request, you can see:

The HTML method, e.g. GET or POST

The URL requested

The HTTP response code

A short summary of what the HTTP response code means

The length of time the whole request took.

Any Alerts on the request.

Any Notes you have added to request

Any Tags on the request

Spider tab:

It shows you a set of URIs found by the Spider during the scans.The toolbar provides a set of buttons which allow you to start, stop, pause and resume the scan. A progress bar shows how far the scan of the selected site has progressed.

For each request you can see:

Processed – It shows if the URI was processed by the Spider or was skipped from fetching because of a rule.

Method – The HTTP method, e.g. GET or POST

URI – the resource found

Flags – any information about the URI (e.g. if it’s a seed or why was it not processed)


After testing of URLs we can generate the report by clicking report menu option and select the format (XML/HTML) of the report we need.

In this case, I have selected HTML report and saved the file locally. This report needs to be submitted at the time of security review process.


Before submitting your dream app for security review, it is necessary to test your integration with ZAP tool and fix the inevitable vulnerabilities found in it.  A clear ZAP report has higher percentage of passing security review in the first attempt.

And, if you just don’t have the resources or your internal audit procedures demand that a third party perform your security review, let us know.

About the author:  Giri Bhushan is a technical lead at Bit Order Technologies and is responsible in part for our 100% success rate of ISV security approvals on the AppExchange.  

Learn more about the Bit Order Bag of Tricks in the Partner Zone at #DF15Partners at the Parc Central Hotel, 2nd Floor, Thursday September 18 at 3:30.