How exclude requests and sites from OWASP ZAP scanning?

[malina]

So, I have selenium tests and owasp zap scanning after tests are executed.

And owasp execution takes about 15-16 hours)))

I find this great article How to speed up OWASP ZAP scans and first thatI done was increasing number of hosts and threads per host - this reduce execution time to 5 hours - still too much. Then I take a look on application structure and assume that owasp attack same same code many-many times (as described in mentioned article). There is a lot of GET:home requests (each test generates new Session), also, folder structure is duplicated. Please, take a look on attached screenshot. But mechanism of excluding is not clear form me:( Could anyone explain, or show an example how to exclude duplicates in my case?

[malina]

forget to attach screenshot

вторник, 2 декабря 2014 г., 10:56:23 UTC+2 пользователь malina написал:

[kingthorin+owaspzap]

Your app suffers from Session ID in URL Rewrite which can facilitate session fixation attacks. (https://www.google.com/search?q=session+id+in+url+rewrite+owasp)

My guess is that since almost every home requests generates a new re-written URL with unique session ID then ZAP treats that as a separate URL.

[Dima Malinochka]

Yep, each test generates new URL:(

Is there some workaround to check such kind of url only once?

Also, as I understand, duplicated folders also caused by URL rewrite?

As workaround:

do not start zap before tests execution (this avoid duplicating url's) but start it after. But in this case I'll lose some part of requests and url's...or not?

2014-12-02 17:19 GMT+02:00 kingthorin+owaspzap <kingt...@gmail.com>:

Your app suffers from Session ID in URL Rewrite which can facilitate session fixation attacks. (https://www.google.com/search?q=session+id+in+url+rewrite+owasp)

My guess is that since almost every home requests generates a new re-written URL with unique session ID then ZAP treats that as a separate URL.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/FmODmgOXUeA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

З повагою, Дмитро

[kingthorin+owaspzap]

The "LMNOP - Copy (2)" type entries (I believe) are generated by the "Backup File Disclosure" active scanner, and your app returning a status code 200 on those requests.