Zed Attack Proxy only crawling one page

156 views
Skip to first unread message

jbru...@gmail.com

unread,
May 2, 2017, 1:37:48 PM5/2/17
to OWASP ZAP User Group

I have just recently started using Zed Attack Proxy(ZED) to check for OWASP vulnerabilities and I am trying to get it to scan my whole site. I have successfully got it to login as a user and scan from there but it stays on the main page after logging in. Is there a way to get it to scan the other pages throughout the website? Also, is there a way to test for specific vulnerabilities only or is it more of a broad scan of everything? I am still new to this software so any help is appreciated.

Thanks,

Simon Bennetts

unread,
May 3, 2017, 4:01:00 AM5/3/17
to OWASP ZAP User Group
Hiya,

The Getting Started Guide is a good place to,er, get started :)
Its included with ZAP and also available online here: https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf

To explore your app you can use any combination of:
  1. Proxy you browser through ZAP and explore in manually
  2. Proxy regression tests through ZAP
  3. Use the traditional spider, which is fast but doesnt handle JavaScript so well
  4. Use the Ajax Spider, which is slower but handles JavaScript (by launching browsers)

If you're still having problems crawling more than one page then let us know exactly what you are doing and what you see and we can help you from there.


ZAP includes a wide range of scanning rules which are categorized as either:

  • Passive, ie ones where the rule just looks for things (like missing security headers)
  • Active, in which the rules perform attacks (like XSS and SQLi)

By default ZAP just included 'release' quality rules, but you can also download 'beta' and 'alpha' quality rules as well from the ZAP Marketplace: https://github.com/zaproxy/zap-extensions/wiki


ZAP has _very_fine grain control over the rules you run. You can run all of the rules, just one rule or any combination of them

You can also set the 'strength' of each rule (which roughly equates to how many requests they make) and the 'threshold' (whether they are more or less likely to report potential issues)

For more info see the help (included with ZAP and also online), eg:

Cheers,


Simon

Reply all
Reply to author
Forward
0 new messages