how to perform ajax spider attack when you have two url at the same time

[riyas...@gmail.com]

I am trying to perform ajax spider attack on my webpage. For this, I have configured a local proxy server. Also, I have managed the HTTP sessions. Now, when I login to the application and view the zap, two url are shown as :

1. Home page(One URL as localhost:3000)
2. Login request(basically an API localhost:4000)

When I perform ajax spider attack on first one, only home page is displayed and login action is not performed.

When I perform ajax spider attack on second one, a page opens as <Application name> and then it disappears.

How can I now perform the test using the both at the same time?

[thc...@gmail.com]

Hi.

In this case you need to AJAX Spider a Context with the authentication
configured (i.e. include in context "localhost:3000" and authenticate
against "localhost:4000"). [1] Having the "login URL" in another server
is not a problem.


[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication

Best regards.

On 01/09/17 07:12, riyas...@gmail.com wrote:
> I am trying to perform ajax spider attack on my webpage. For this, I have
> configured a local proxy server. Also, I have managed the HTTP sessions.
> Now, when I login to the application and view the zap, two url are shown as
> :
>

> 1. Home page(One URL as localhost:3000)
> 2. Login request(basically an API localhost:4000)

[riyas...@gmail.com]

Hi,

I tried the following steps but it's not wokring

1. Set the context : localhost:3000

2. In authentication, used the 4000 port along with logged in and logged out indicator

3.Ajax spider on localhost:4000

 But when I do so, the localhost:3000 page opens but the login action is still not performed yet.

Can you tell me if I am doing something wrong. Please provide some guidance.

Thanx

[kingthorin+owaspzap]

Your localhost:3000 entry is literal, that's the only URL in scope. Look at the screenshot and note the difference in use of .* (wildcard).