Ajax spider never ending discovery

[Alf0]

Hi there,

I am using for the first time Ajax spider on a "real" application.

I am using GUI with correct Java version allowing me to run FF.

But I am not sure to run it correctly, because as a result spidering takes 60 minutes with 11835 Urls crawled.

Then pâssive scan takes about 6 hours.

I am afriad to run active scan....

Settings for ajax spider are by default excepted number or headless FF (4).

Do I have to check something or modify a setting ?

is the number of 11835 Urls normal ?

I had to change JVM heap size to 4096m

But I assum Active scan will take the entire week (is it normal ?)

I konow it depends of the application, but maybe there somthing to tune at first ?

[Alf0]

Another information classic spider finds 2200 Urls

[Simon Bennetts]

There is no "normal" :)

Some apps can have just a couple of URLs, other database driven apps could have an infinite number - think of a calendar app for example.

So, how many URLs do you think you app has, realistically?

If you dont know then you should aim to find out, eg by manually exploring it with your browser while proxying through ZAP.

You should aim to get ZAP exploring your app as effectively and efficiently as you can before progressing to active scanning.

This video may help explain things more : https://www.youtube.com/watch?v=1_flXEBzEsE

There are also other videos on https://www.zaproxy.org/zap-deep-dive/ that may well help.

Cheers,

Simon

[Alexandre FONTANA]

Thank you simon I had a look to this.

as an example here I have a huge number of Urls but it is always the same code only parameter "cle" is changing

https://myapp.local/node1/fonction1?cle=1&menu=toto

https://myapp.local/node1/fonction1?cle=2&menu=toto

https://myapp.local/node1/fonction1?cle=3&menu=toto

But spider is running under each parameter "cle" it finds, is there a way to stop it once on occurence have been crawled and too skip the other ?

I do not think there is added value going through each parameters (hope my english is clear  i am not english native), once the code of the functionality is tested.

do not hesitate to ask me to reformulat.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/5komevgMwKc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/080bd4cb-12ba-4428-a2b9-d79fb39b5669n%40googlegroups.com.