Scanning multiple Urls in ZAP

168 views
Skip to first unread message

Tanu

unread,
Feb 1, 2024, 3:00:20 AM2/1/24
to ZAP User Group
Hi Team,

I have been looking into scanning of multiple URLs in one go and generating report for all URLs with the findings.
I have used Automation framework , added import, report , active scan , passive scan filters but still it is not scanning the urls and giving error is report filter. I have tried this multiple times and gone through various conversations as well which are present here but didn't get any clear steps. 
Could you please guide me how to achieve this.

Looking forward for your reply.

Regards,

thc...@gmail.com

unread,
Feb 1, 2024, 3:49:18 AM2/1/24
to zaprox...@googlegroups.com
Hi,

Could you provide the errors and share the plan (remove any sensitive info)?

If you include those URLs in context they will all be scanned the same,
same for the report, it will include all URLs.

Best regards.

Tanu

unread,
Feb 1, 2024, 4:04:23 AM2/1/24
to ZAP User Group
Hi ,

I am going to the Automation tab > New Plan > Adding the context in which list of Urls present > in job selecting active scan > adding report job in same plan .
When I run this plan it provide shows time as 00.00.00 and Error corresponding to Report.
Please ss the attached screenshot.

Thank you.
Scan error.png

Tanu

unread,
Feb 2, 2024, 12:52:27 AM2/2/24
to ZAP User Group
In addition to above , I tried zap cli on Linux as well:

zap.sh -cmd -zapit example.com -zapit example2.com
but not able to find the command which can generate report as well with multiple URL scan. 

Simon Bennetts

unread,
Feb 2, 2024, 6:28:05 AM2/2/24
to ZAP User Group
The zapit command line option currently does not generate reports, it just outputs to the commandline.
Re the plan you are trying to run - have a look in the "Output" tab shown in your screenshot.

Cheers,

Simon

Tanu

unread,
Feb 2, 2024, 11:41:41 AM2/2/24
to ZAP User Group
Hi ,

If you see the scan time is 00.00.00 that indicates scan is not running.
I have attached output tab as well, there is no report as well.

Could you please confirm , I need to scan multiple URL and need to have report for this . What will be the best approach.
I tried cli commands as well with zap.sh .

Thank you.

DAST error2.png
DAST error.png

Simon Bennetts

unread,
Feb 2, 2024, 12:03:18 PM2/2/24
to ZAP User Group
The zap.log file should have more detailed errors:

Cheers,

Simon

Tanu

unread,
Feb 3, 2024, 11:35:09 AM2/3/24
to ZAP User Group
Hi , 

Please find attached captured from the log file from system, there is same information which was specified in the console.

log_file_error.png

Tanu

unread,
Feb 3, 2024, 11:51:03 AM2/3/24
to ZAP User Group
Hi,

Can you tell me what is the best way to scan multiple urls and get the report generated, if cli then what will the cli command for this. I tried various ways none is working.

Thank you for helping.

Regards,

Tanu

unread,
Feb 5, 2024, 5:55:33 AM2/5/24
to ZAP User Group
Hi Simon,

When I am running scan through zap-cli , it is giving me below error:

zap-cli active-scan --scanners xss,sqli --recursive http://127.0.0.1/

[INFO]            Running an active scan...
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/urllib3/connection.py", line 158, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.10/dist-packages/urllib3/util/connection.py", line 80, in create_connection
    raise err
  File "/usr/local/lib/python3.10/dist-packages/urllib3/util/connection.py", line 70, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

 

During handling of the above exception, another exception occurred:

 

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py", line 597, in urlopen
    httplib_response = self._make_request(conn, method, url,
  File "/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py", line 354, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python3.10/http/client.py", line 1283, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1329, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1278, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1038, in _send_output
    self.send(msg)
  File "/usr/lib/python3.10/http/client.py", line 976, in send
    self.connect()
  File "/usr/local/lib/python3.10/dist-packages/urllib3/connection.py", line 181, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.10/dist-packages/urllib3/connection.py", line 167, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7ff91243ee60>: Failed to establish a new connection: [Errno 111] Connection refused

 

During handling of the above exception, another exception occurred:

 

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py", line 637, in urlopen
    retries = retries.increment(method, url, error=e, _pool=self,
  File "/usr/local/lib/python3.10/dist-packages/urllib3/util/retry.py", line 399, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with url: http://zap/JSON/ascan/action/disableAllScanners/?apikey=98gbtu7haah5l84o8ebrins4f7 (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ff91243ee60>: Failed to establish a new connection: [Errno 111] Connection refused')))

 

During handling of the above exception, another exception occurred:

 

Traceback (most recent call last):
  File "/usr/local/bin/zap-cli", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 664, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 644, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 991, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 837, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/click/decorators.py", line 26, in new_func
    return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 464, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/zapcli/cli.py", line 154, in active_scan
    zap_helper.set_enabled_scanners(scanners)
  File "/usr/local/lib/python3.10/dist-packages/zapcli/zap_helper.py", line 314, in set_enabled_scanners
    self.zap.ascan.disable_all_scanners()
  File "/usr/local/lib/python3.10/dist-packages/zapv2/ascan.py", line 284, in disable_all_scanners
    return six.next(six.itervalues(self.zap._request(self.zap.base + 'ascan/action/disableAllScanners/', params)))
  File "/usr/local/lib/python3.10/dist-packages/zapv2/__init__.py", line 159, in _request
    data = self._request_api(url, get)
  File "/usr/local/lib/python3.10/dist-packages/zapv2/__init__.py", line 149, in _request_api
    return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
  File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 546, in get
    return self.request('GET', url, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.10/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/requests/adapters.py", line 510, in send
    raise ProxyError(e, request=request)
requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with url: http://zap/JSON/ascan/action/disableAllScanners/?apikey=98gbtu7haah5l84o8ebrins4f7 (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ff91243ee60>: Failed to establish a new connection: [Errno 111] Connection refused')))


Simon Bennetts

unread,
Feb 6, 2024, 6:13:21 AM2/6/24
to ZAP User Group
Pro tip - dont use zap-cli - it is a 3rd party project that is no longer supported.
The recommended automation options are detailed on https://www.zaproxy.org/docs/automate/

Cheers,

Simon

Tanu

unread,
Feb 6, 2024, 7:25:42 AM2/6/24
to zaprox...@googlegroups.com
Thank you Simon for answering queries.

I read somewhere in Github , you mention command with quick action to scan multiple url and report generation:

./zap.sh -quickbulk -quickout
-quickformat <xml/html>

What is the right command? I tried this, but it is not working.

Regards,

--
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/5cToEDQaRd0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/3a646239-9c72-442a-a05d-719e0914267en%40googlegroups.com.

Simon Bennetts

unread,
Feb 6, 2024, 7:26:44 AM2/6/24
to ZAP User Group
No, that is not a supported option.

Tanu

unread,
Feb 6, 2024, 9:15:08 AM2/6/24
to zaprox...@googlegroups.com
then I think we left with Automation framework option with which multiple urls can be scanned and report can be generated.
Can you look into the previous error and confirm what can be the reason that scan is not generating any output?

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/61ef386c-f71b-41f6-bb74-78213f17babdn%40googlegroups.com.

psiinon

unread,
Feb 6, 2024, 9:17:01 AM2/6/24
to zaprox...@googlegroups.com

You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAAp_ZeUwzAL%3DGmBaRmD%2BpLmJ9P7vHRKHaSe%3Di9AZ-ZC3tqtUfg%40mail.gmail.com.


--
ZAP Project leader

Tanu

unread,
Feb 15, 2024, 8:27:32 AM2/15/24
to ZAP User Group
Hi Simon,

Can you please see , I have attached log file screenshot , there is no error . I am getting error while generating report.

In between , it started working with the same steps but now again it is getting failed.

Thank you in advance.

Regards

Output screenshot.png
log error.png

psiinon

unread,
Feb 15, 2024, 8:30:20 AM2/15/24
to zaprox...@googlegroups.com
Do you see the "Cannot create directory" message?
Thats the problem - filestore permissions.
ZAP cant do anything about that, you need to fix them.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/d7d56c7a-0ba8-474f-bc48-98276f45d9b5n%40googlegroups.com.


--
ZAP Project leader
Reply all
Reply to author
Forward
0 new messages