Regarding ZAP API scan need some urgent support

DEVI

unread,

Feb 12, 2021, 6:45:33 AM2/12/21

to OWASP ZAP User Group

Why this is marked as abuse? It has been marked as abuse.

Report not abuse

Hi Simon,

Need some guidance from you on below 2 queries:

Query1:

Expectation1:

How to get specific URLs (for ex. here we need to fetch only URLs that contains "portal") out of all these below URLs.

FYI, we have tried few of the regex patterns below but we were unable to make it.

#1 "https:\/\/https:\/\/portal-xxx-yyy-h4.itcs.xxx.com\/abcde"

#2 wget -q https://portal-xxx-yyy-h4.itcs.xxx.com -O - | grep -o -E 'portal="([^"#]+)"

#3 curl https://portal-xxx-yyy-h4.itcs.xxx.com 2>&1 | grep -o -E 'href="([^"#]+)"' | cut -d'"' -f2 | egrep $CMP-[0-9].[0-9].[0-9]$ | cut -d'-' -f3

Current Status:

Using ZAP API we are fetching all the URLs, command used: curl http://localhost:8080/JSON/core/view/sites/?zapapiformat=JSON&formMethod=GET

and we get below response:

{"sites":["https://redirector.gvt1.com","http://ciscobinary.openh264.org","https://aus5.mozilla.org","https://snippets.cdn.mozilla.net","https://tracking-protection.cdn.mozilla.net","https://portal-xxx-yyy-h4.itcs.xxx.com","http://detectportal.firefox.com"]}

Expectation2:

And incase we received those specific URLs, then how to pass it in context list (contains URLs those are only needed for scanning), so that scanning could be performed next?

Query2:

Doubt:

Could we consider this below status i.e. 100 as passed or it could be considered as error ?

FYI, below is the command and the corresponding status

curl http://localhost:8080/JSON/ascan/view/status?scanId=1

{"status":"100"}[

Current Status:

When we try to scan a particular URL i.e. curl http://localhost:8080/JSON/ascan/action/scan/?url=${URL}

we get a scan ID, and while passing that ID to check the status of the scan it throws RESPONSE as 100.

Waiting for your quick support on this.

Thanks,

Devi

Simon Bennetts

unread,

Feb 12, 2021, 6:56:48 AM2/12/21

to OWASP ZAP User Group

Why this is marked as abuse? It has been marked as abuse.

Report not abuse

Hi Devi,

It sounds like you are relatively new to ZAP, and possibly trying to run before you can walk :)

I recommend starting by using the ZAP desktop for scanning your application before trying to use the API.

It will allow you to see whats going on much more easily, and will help you understand more ZAP concepts.

Also have a look at the Quick Start Guide: https://www.zaproxy.org/getting-started/

Cheers,

Simon

DEVI

unread,

Feb 15, 2021, 12:58:01 AM2/15/21

to zaprox...@googlegroups.com

Why this is marked as abuse? It has been marked as abuse.

Report not abuse

Hi Simon,

Thanks for writing back.

But just to clarify that, we already have experience using zap-desktop, and we are also using owasp zap image for performing full scan and baseline scans.

And here we are trying to automate the scan (i.e. integrating selenium scripts with zap) on the linux platform and previously mentioned are the issues we encountered while integrating. Any other suggestions would really be helpful.

Thanks,

Devi

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/MzsYKsMYuLk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/e3dd91bc-57fd-403e-8f41-7a963661a079n%40googlegroups.com.

venkata.su...@associates.scit.edu

unread,

Feb 15, 2021, 6:37:53 AM2/15/21

to OWASP ZAP User Group

I am also trying to integrate with Selenium but adding the spidered URLs to a new context is a straight forward, I believe using the APIs. Or, if you have a set configuration of URLs or APIs, just import them if the URLs are not going to change until after a patch/update. I would suggest to create a new context and give a regex, that should do it. But then, since you are already spidering, not sure why you would want to store the URLs somewhere to scan when the underlying dB has them anyway. Or, maybe I am getting your question wrong.

DEVI

unread,

Feb 15, 2021, 6:53:22 AM2/15/21

to OWASP ZAP User Group

Why this is marked as abuse? It has been marked as abuse.

Report not abuse

Hey Venkata/Team,

Thanks for the quick response.

Meanwhile after executing selenium scripts with ZAP proxy we are able to capture the URLs and the REGEX pattern also now we are able to achieve, so now we need pass the obtained URLs to the ZAP.sh command, to perform active scan. With ZAP.sh we could only see quick scan options mostly, but our need is to have the active scan.

We already tried with "ascan" end point API for active scan but it didn't work out, so need some insights from this forum.

thanks,

Devi

Simon Bennetts

unread,

Feb 15, 2021, 7:06:25 AM2/15/21

to OWASP ZAP User Group

Why this is marked as abuse? It has been marked as abuse.

Report not abuse

Can you use Docker?

If so the packaged full scan might be a good option for you: https://www.zaproxy.org/docs/docker/full-scan/

Can you run your selenium scripts in your automation environment? If so proxy those through ZAP before active scanning.

Running ZAP twice (once to get the urls via proxying and the second time to actively scan them) is not really the best approach, you'll loose lots od data that way that ZAP would otherwise find useful.