Active Scan on specific endpoints not targets
34 views
Skip to first unread message
Mile DJOKIC
May 28, 2023, 3:32:24 PM5/28/23
to OWASP ZAP User Group
Hi,
I would like only to target specific endpoints on my target.
Let's say I'm using Selenium to automate an application and I have only the endpoints which where touched during the automation aspect which I want to attack.
Can I somehow use the active scan to attack only these enpoints and not all which are associated with the target?
I would like only to target specific endpoints on my target.
Let's say I'm using Selenium to automate an application and I have only the endpoints which where touched during the automation aspect which I want to attack.
Can I somehow use the active scan to attack only these enpoints and not all which are associated with the target?
psiinon
May 29, 2023, 4:05:09 AM5/29/23
to zaprox...@googlegroups.com
Proxy those tests through ZAP, and then don't use either of the spiders.
We deliberately separate exploring an app from attacking it so you can donthings like this.
Cheers
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/535f2674-b7b6-412c-bfe5-b7eeb75d47ccn%40googlegroups.com.
Mile DJOKIC
May 31, 2023, 4:56:26 PM5/31/23
to OWASP ZAP User Group
Hi,
If I proxy through it , would the active scan still take the whole page as context like localhost:<port> ?
What I would like to achieve is that I only scan the the endpoints that I hit during working with the app. Meaning that the active scan targets only the endpoints which I have already touched before.
Please correct me if I understood the active scan and the context concept wrong.
Best,
Mile
If I proxy through it , would the active scan still take the whole page as context like localhost:<port> ?
What I would like to achieve is that I only scan the the endpoints that I hit during working with the app. Meaning that the active scan targets only the endpoints which I have already touched before.
Please correct me if I understood the active scan and the context concept wrong.
Best,
Mile
thc...@gmail.com
May 31, 2023, 5:44:19 PM5/31/23
to zaprox...@googlegroups.com
The active scanner will only scan what knows about, if you are proxying
specific endpoints it will scan only those.
Have you checked the Attack mode? I think that matches the workflow you
are describing.
https://www.zaproxy.org/docs/desktop/start/features/scope/
In any case you can scan only specific endpoints by having the recurse
option disabled.
https://www.zaproxy.org/docs/desktop/ui/dialogs/advascan/
Best regards.
>>> <https://groups.google.com/d/msgid/zaproxy-users/535f2674-b7b6-412c-bfe5-b7eeb75d47ccn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>
specific endpoints it will scan only those.
Have you checked the Attack mode? I think that matches the workflow you
are describing.
https://www.zaproxy.org/docs/desktop/start/features/scope/
In any case you can scan only specific endpoints by having the recurse
option disabled.
https://www.zaproxy.org/docs/desktop/ui/dialogs/advascan/
Best regards.
>>> .
>>>
>>
>
Reply all
Reply to author
Forward
0 new messages