staging site with htaccess, I cannot use Attack funcionality. I got "failed to attack the url"

[Ricardo Neira Oquenes]

Hi User Group,

I have to test my websites on staging, and I would like to use the attack funcionality, but I got a failed error.

Could someone please tell me what I should do? If I removed htaccess the tool works ok, but I cannot leave the site public.


Someone knows a turn-around for this.?

Thanks,
Ricardo.

[Simon Bennetts]

Hi Ricardo,

This is a networking issue rather than anything that is ZAP specific.
The machine you are running ZAP on needs to be able to access the target machine.
You could configure htaccess to just allow access to the ZAP machine, assuming you have a fixed IP address.
It looks like the are various online tools for generating such htaccess configuration, but I havnt tried any myself.

Cheers,

Simon

[Jonathan Langevin]

Simon, I'm dealing with a similar issue, but it doesn't seem legit for ZAP to be unable to access the site, as it's possible to configure the authentication scheme used in the Session's Context, as well as the credentials to use. Yet even after doing so, I'm unable to run a scan...

If the Session Context settings don't address this scenario, what are they good for?

-Jon

[Jonathan Langevin]

Found workaround. Configure a browser to use the ZAP proxy temporarily (localhost 8080), visit the target site. Once that's occurred, looks like session gets persisted via ZAP so that it can then attack/spider the site. At that point you can restore your proxy settings on your browser, and run your scan.

-Jon

[Jon Langevin]

Correction, that may have helped, but upon exit-and-retry, it appears that having my Session Context settings set with my HTTP Auth user, domain, realm, etc, and then enabling “Forced User mode” in ZAP interface, does the trick...

Jon Langevin

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/l03jLZ55pPQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Bennetts]

Yes, I think Ricardo's problem was due to the fact his .htaccess settings were preventing ZAP (or any other tool) from accessing it from the machine he was running ZAP on.

Your problem sounds like it was an authentication issue, which it appears you've solved :)
The "Forced User mode" is the best way to handle authentication while spidering and scanning via the API right now, but in the future we should support specifying the user when invoking the scan via the API, as we do in the UI.

Simon

To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.