Getting 404/400 not found or Bad request in Active scan.
2,044 views
Skip to first unread message
rath sarita
Sep 26, 2016, 4:08:44 AM9/26/16
to OWASP ZAP User Group
Hi,
While doing active scan , i am continuously getting 400 or 404 error code. Even though the application is active, still ZAP is not able to identify the application.
Can you please help me out for this.
Thank you.
Sarita.
While doing active scan , i am continuously getting 400 or 404 error code. Even though the application is active, still ZAP is not able to identify the application.
Can you please help me out for this.
Thank you.
Sarita.
Simon Bennetts
Sep 26, 2016, 4:23:30 AM9/26/16
to OWASP ZAP User Group
Only if you give us some more information :)
Have you had a look at the contents of the 400 / 404 messages?
What happens when you proxy a request through ZAP to access these urls?
Can you provide us with some sanitized examples of the responses in both cases?
Cheers,
Simon
Have you had a look at the contents of the 400 / 404 messages?
What happens when you proxy a request through ZAP to access these urls?
Can you provide us with some sanitized examples of the responses in both cases?
Cheers,
Simon
rath sarita
Sep 26, 2016, 4:39:23 AM9/26/16
to OWASP ZAP User Group
Yes Sure.
Looked at the content of 404/400 and right clicked and tried to open URL in browser,but its just coming as blank white page. Application does not open up. Spider attack is 100% completed, alerts are getting generated, even able to do FUZZ. Nodes are getting generated while traversing through the application. But Active scan is not happening
If required i can give u the URL of application.
Thank you.
.
Simon Bennetts
Sep 26, 2016, 5:02:18 AM9/26/16
to OWASP ZAP User Group
Simon Bennetts
Sep 29, 2016, 5:27:43 AM9/29/16
to OWASP ZAP User Group
I'm able to login to your application using the credentials you emails to me.
Are you trying to automate the scanning or just perform it manually?
If you are trying to perform a manual authenticated scan then:
Are you trying to automate the scanning or just perform it manually?
If you are trying to perform a manual authenticated scan then:
- Login to your app
- Open the Http Session tab at the bottom
- Select your site
- Right click the session and 'Set as active'
You should then be able to kick off the active scan from the 'smoketest' directory - the active scanner will use the authenticated session that you've just set as being 'active'.
Note that I havnt tried this myself ;)
You may also need to exclude any logout URLs.
If you want to automate this then I'd still start by doing it manually :)
Cheers,
Simon
rath sarita
Sep 29, 2016, 6:13:28 AM9/29/16
to zaprox...@googlegroups.com
Hi Simon,
Thank you for your reply.
I am trying for manual process but not automated.
I tried the steps u replied above, but still getting the same error.
CAn you please try at your end and check if you can.
Thank you.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/2b4e5d72-82e3-4927-9466-23db3bd9e5eb%40googlegroups.com.--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/keQdwxhjPuU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
Thank You.
Sarita Rath
9923593669
Reply all
Reply to author
Forward
0 new messages