How does ZAP AJAX Spider Even Work?
3,757 views
Skip to first unread message
Dave Wichers
Apr 28, 2017, 3:02:29 PM4/28/17
to OWASP ZAP User Group
I'm trying to use this to help develop a more complete site map of a site. When I Export all the URLs in the sitemap for the current site I get 470 URLs. When I run the AJAX Spider on that same site, it crawls 24 URLs. Why not at least the same 470? And then I'd hope it might find some more.
Thanks, Dave
kingthorin+owaspzap
Apr 28, 2017, 6:12:34 PM4/28/17
to OWASP ZAP User Group
The AJAX Spider is meant to crawl.....AJAX. If you (you're app/site) don't use AJAX'ish functionality it isn't going to find much.
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts
Simon Bennetts
May 2, 2017, 6:06:07 AM5/2/17
to OWASP ZAP User Group
I'm not so sure - I think that the Ajax Spider should find a superset of the links that the 'traditional' spider will find, although it will take significantly longer.
Dave - what options are you using for the Ajax Spider?
Can you share the URL of the site you are scanning (either publicly or privately)?
Cheers,
Simon
Dave - what options are you using for the Ajax Spider?
Can you share the URL of the site you are scanning (either publicly or privately)?
Cheers,
Simon
Dave Wichers
May 2, 2017, 11:11:00 AM5/2/17
to zaprox...@googlegroups.com
It's a non-public site, so I can't share anything. I'm trying to figure out ways to make both spiders more intuitive/user friendly.
I think I already have a JIRA about having the spiders clearly indicate whenever they find anything new. Is there any way to have them drop a Spider Complete/Summary entry. Something like: 54 Original URLs Spidered, 5 New URLs discovered. And then either list the NEW URLs, or mark them NEW in the site tree, or something.
And I do think it would be more intuitive if the AJAX Spider crawled every URL, and also output some similar summary info.
Right now I really have no clue:
1) If the Spiders are even working properly, nor
2) Are they finding anything new
And 2) above is most important to me. I'm doing it because I 'know' I should be doing this to help ZAP. But I have little
evidence it helps much.
Also, is there any way (or would it be useful), to indicate which URLs in the Site Tree are AJAX endpoints vs. normal? And are they truly distinct in that manner?? i.e., can they be accessed both way? I think they can.
Any improvement ideas from you guys?
Thanks, Dave
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/knq9I0JV0mc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8e06a2e2-ace9-441a-8a54-77eee753059c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages