Passive Scan Scripts for Traffic Analysis

1 min read Security Testing & Tools

Passive Scan Scripts for Traffic Analysis

Passive scan scripts analyze traffic without sending additional requests, ideal for detecting information disclosure, missing security headers, or suspicious patterns. These scripts process every request and response passing through ZAP:

// Passive scan script to detect API keys in responses
function scan(helper, msg, src) {
    var Alert = Java.type("org.parosproxy.paros.core.scanner.Alert");
    
    // API key patterns to detect
    var patterns = [
        /api[_-]?key\s*[:=]\s*["']?([a-zA-Z0-9]{20,})["']?/gi,
        /token\s*[:=]\s*["']?([a-zA-Z0-9]{32,})["']?/gi,
        /bearer\s+([a-zA-Z0-9._-]{20,})/gi,
        /x-api-key:\s*([a-zA-Z0-9]{20,})/gi
    ];
    
    var body = msg.getResponseBody().toString();
    var headers = msg.getResponseHeader().toString();
    var content = body + "\n" + headers;
    
    patterns.forEach(function(pattern) {
        var match;
        while ((match = pattern.exec(content)) !== null) {
            helper.raiseAlert(
                Alert.RISK_HIGH,
                Alert.CONFIDENCE_HIGH,
                "API Key Exposure",
                "Potential API key found in response: " + match[0],
                msg.getRequestHeader().getURI().toString(),
                "", // param
                "", // attack
                match[0], // evidence
                "Remove API keys from responses. Use proper authentication headers instead.",
                "API keys should never be exposed in client-accessible responses",
                msg
            );
        }
    });
}

Passive scripts must be highly efficient since they process all traffic. Avoid complex operations that might slow down browsing. Use regular expressions judiciously, compile them once if possible, and implement early exit conditions for irrelevant traffic. Well-written passive scripts provide continuous security monitoring without impacting performance.