ajax spider context in baseline

[Frank Cini]

I'm running into an issue where I'm automating a complex authentication sequence, where there is a redirect to a third party domain.  Once a browser starts up, selenium will log in right away which works great in the zaproxy desktop.

When I run this from a baseline scan with the -j its failing waiting for the e-mail input box on the third party page.  A screenshot shows "(403 Forbidden) Out of Ajax Spider Scope"

I had been passing a context, with a specific regex for each domain, even tried .* (this gets loaded at the beginning of the selenium script with an import). Again I know this works becuase I see it show up when using the desktop version.

The only other thing I can think of is In the ajax-spider dialog there is subtree-only and context setting and wondering if these need to be passed in separately via a config option?  What would be the keys for these? 

Any other ideas what I can look at?

Thanks in advance,

Frank

[thc...@gmail.com]

Hi.

How are you setting up things in the baseline scan? Are you providing
your context?

Best regards.

[Frank Cini]

The context is imported at the beginning of the selenium script:

 zapContext=zapSession.importContext(new java.io.File(contextFile));

which works in the desktop version (I can see it show up in the ui and ajax spider works there)... is there a better way programmatically or config wise to set that up?  your question triggered me to think that I should pass that in on startup or something.

Thanks,

Frank

--
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/4o2RwwaXEKQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ca783479-8051-4fb7-acd1-2ce081919ff4%40gmail.com.

--

Frank Cini

OnCorps, Inc.

116 Huntington Avenue

Boston, Massachusetts 02116

603-769-1902

www.oncorps.io

This email message and any attachments are for the sole use of the intended 

recipient(s) and may contain confidential and/or privileged information. Any 

unauthorized review, use, disclosure or distribution is prohibited. If you are not the 

intended recipient, please contact the sender by replying to this email, and destroy all 

copies of the original message.

[thc...@gmail.com]

I'd have expected the context to be provided with -n arg:
https://www.zaproxy.org/docs/docker/baseline-scan/#usage

Otherwise the baseline scan creates/uses its own context.

Best regards.

[Frank Cini]

ahh ... I'm looking at the baseline options again:

    -n context_file   context file which will be loaded prior to spidering the target

not sure how I missed that before.

I'm running it right now and it looks like it's working!

Thanks again for your support!

Frank

[Oussama Elkhadda]

May I kindly inquire whether the baseline scan functionality is exclusively offered within the Dockerized iteration of OWASP ZAP, and not present in the OWASP ZAP Desktop variant? Your clarification would be greatly appreciated. Thank youCMD ["python", "test.py"]

[thc...@gmail.com]

That's right, that's only bundled in the Docker images, although you can
also download the scripts from the zaproxy repo and execute them
directly (they will still use Docker to run ZAP).

Best regards.

>> 603-769-1902 <(603)%20769-1902>