Where does the passive scan start in the example of the documentation?
857 views
Skip to first unread message
Claudio
Jul 27, 2016, 6:35:55 AM7/27/16
to OWASP ZAP Developer Group
Hi all,
in the documentation of "zap-api-python" I find this example (https://github.com/zaproxy/zap-api-python/blob/master/doc/example.rst):
...
zap = ZAPv2()
zap.urlopen(target)
scanid1 = zap.spider.scan(target)
...
# Wait for passive scanning to complete
while (int(zap.pscan.records_to_scan) > 0):
print ('Records to passive scan : ' + zap.pscan.records_to_scan)
time.sleep(2)
...
print ('Passive scanning complete')
scanid2 = zap.ascan.scan(target)
alerts = zap.core.alerts()
....
In the second block of code it waits for passive scan to complete but I don't understand where this passive scan is started.
There is no a "zap.pscan.scan(target)" command.
Is this an error?
And why there there are both an active and a passive scan, aren't they alternative?
Thank you very much
Claudio
in the documentation of "zap-api-python" I find this example (https://github.com/zaproxy/zap-api-python/blob/master/doc/example.rst):
...
zap = ZAPv2()
zap.urlopen(target)
scanid1 = zap.spider.scan(target)
...
# Wait for passive scanning to complete
while (int(zap.pscan.records_to_scan) > 0):
print ('Records to passive scan : ' + zap.pscan.records_to_scan)
time.sleep(2)
...
print ('Passive scanning complete')
scanid2 = zap.ascan.scan(target)
alerts = zap.core.alerts()
....
In the second block of code it waits for passive scan to complete but I don't understand where this passive scan is started.
There is no a "zap.pscan.scan(target)" command.
Is this an error?
And why there there are both an active and a passive scan, aren't they alternative?
Thank you very much
Claudio
psiinon
Jul 27, 2016, 7:54:28 AM7/27/16
to OWASP ZAP Developer Group
Hi Claudio,
Passive scanning occurs all of the time automatically, you dont start or stop it.
As requests are spidered and/or proxied through ZAP they get added to a queue - passive scanning happens in a background thread to prevent it from slowing proxying own too much.
The test in that script is looping until there are no more requests on the passive scan queue - passive scanning has only finished in the sense that there are currently no records to scan - if more requests were proxied through ZAP then they will be added to the queue and the passive scanning will 'start up' again.
The active and passive scan rules check for very different things and have very little overlap.
If you want to thoroughly test your application then we recommend you use both.
Cheers,
Simon
Passive scanning occurs all of the time automatically, you dont start or stop it.
As requests are spidered and/or proxied through ZAP they get added to a queue - passive scanning happens in a background thread to prevent it from slowing proxying own too much.
The test in that script is looping until there are no more requests on the passive scan queue - passive scanning has only finished in the sense that there are currently no records to scan - if more requests were proxied through ZAP then they will be added to the queue and the passive scanning will 'start up' again.
The active and passive scan rules check for very different things and have very little overlap.
If you want to thoroughly test your application then we recommend you use both.
Cheers,
Simon
Claudio
Jul 27, 2016, 8:14:55 AM7/27/16
to OWASP ZAP Developer Group
Hi Simon,
thank you very much for your answer. Now things are clearer for me.
So i suppose that the tests executed by passive and active scan are those I found in these objects:
zap.pscan.scanners
zap.ascan.scanners
Is it right?
I still have a doubt about this sentence "they get added to a queue - passive scanning happens in a background thread ".
If I launch the above script two times, with different targets, the queue you are talking about is the same or is shared?
I think there is a queue for each process, isn't it?
cld
thank you very much for your answer. Now things are clearer for me.
So i suppose that the tests executed by passive and active scan are those I found in these objects:
zap.pscan.scanners
zap.ascan.scanners
Is it right?
I still have a doubt about this sentence "they get added to a queue - passive scanning happens in a background thread ".
If I launch the above script two times, with different targets, the queue you are talking about is the same or is shared?
I think there is a queue for each process, isn't it?
cld
psiinon
Jul 27, 2016, 8:24:41 AM7/27/16
to OWASP ZAP Developer Group
Thats right.
For more details of the scan rules you can install see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQzaptests
ZAP is currently single process and if you launch multiple scripts against the same ZAP instance then the passive scan queue will be shared. ZAP doesnt know or care where the requests are coming from.
If you have multiple ZAP processes running on the same machine then they will remain completely independent.
At some point we will change ZAP so that it can run multiple processes to support ZaaS but I'd expect the desktop version to remain single process.
Cheers,
Simon
For more details of the scan rules you can install see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQzaptests
ZAP is currently single process and if you launch multiple scripts against the same ZAP instance then the passive scan queue will be shared. ZAP doesnt know or care where the requests are coming from.
If you have multiple ZAP processes running on the same machine then they will remain completely independent.
At some point we will change ZAP so that it can run multiple processes to support ZaaS but I'd expect the desktop version to remain single process.
Cheers,
Simon
Claudio
Jul 27, 2016, 9:11:18 AM7/27/16
to OWASP ZAP Developer Group
Excuse me if I abuse of your patience but it is important I understand this thing:
"ZAP is currently single process and if you launch multiple scripts against the same ZAP instance then the passive scan queue will be shared"
Ok, but if the passive scan queue is shared and I lauch multiple scripts with different targets, are the result of each scan still consistent?
What about the active scan?
In brief does make sense to lauch in parallel this code for multiple targets, with only one ZAP daemon running?
target1="..."
zap = ZAPv2()
zap.urlopen(target1)
scanid1 = zap.spider.scan(target1)
scanid2 = zap.ascan.scan(target1)
alerts = zap.core.alerts()
claudio
What about the active scan?
In brief does make sense to lauch in parallel this code for multiple targets, with only one ZAP daemon running?
target1="..."
zap = ZAPv2()
zap.urlopen(target1)
scanid1 = zap.spider.scan(target1)
scanid2 = zap.ascan.scan(target1)
alerts = zap.core.alerts()
claudio
psiinon
Jul 27, 2016, 11:20:38 AM7/27/16
to OWASP ZAP Developer Group
Replies inline:
On Wednesday, 27 July 2016 15:11:18 UTC+2, Claudio wrote:
Excuse me if I abuse of your patience but it is important I understand this thing:
thats ok, they are all very sensible questions :)
"ZAP is currently single process and if you launch multiple scripts against the same ZAP instance then the passive scan queue will be shared"
Ok, but if the passive scan queue is shared and I lauch multiple scripts with different targets, are the result of each scan still consistent?
What about the active scan?
If you are attacking different targets then the alerts will not overlap and so the scan results should still be consistant.
The caveat is that if you are waiting for the passive scan queue to empty and the scripts overlap (in time) then both scripts will probably end up waiting until they have both finished as both scripts are essentially adding to the same queue.
In brief does make sense to lauch in parallel this code for multiple targets, with only one ZAP daemon running?
target1="..."
zap = ZAPv2()
zap.urlopen(target1)
scanid1 = zap.spider.scan(target1)
scanid2 = zap.ascan.scan(target1)
alerts = zap.core.alerts()
You need to wait until the spider scan has finished before starting the active scan, otherwise the latter may well not see all of the URLs the spider discovers.
Other than that the problem is with the passive scan thread, as I mentioned above.
You can always launch multiple instances of ZAP.
You just need to use the -dir parameter to specify different directories and the -port flag to specify different ports.
Or you could use docker with different ZAP ports...
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages