We are trying to generate an automated active scan report through python.
Below steps were followed.
1. Record actions of UI in ZAP via proxy
2. Keep the session in zap and browser open.
3. Check the scan policy manager, check injections, all default settings kept as is which included XSS, SQL injections.
4. Run active scan via python by copying URL and access-key
5. Generate an html report
Expected: HTML report should should show XSS, SQL among others
Actual: XSS and SQL injections are missed.
Some observations as below:
1/ Py sample as below: target is the URL and before scanning we connect to zap via python with proxy
scanID = zap.ascan.scan(target)
while int(zap.ascan.status(scanID)) < 100:
# Loop until the active scan has finished
print('Records to active scan : ' + zap.ascan.status(scanID))
time.sleep(2)
print('Active Scan completed')
2/ In HTML reprot we see only below names:
Name
Risk Level
Number of Instances
- Open Redirect High
- Content Security Policy (CSP) Header Not Set
- Missing Anti-clickjacking Header
- Vulnerable JS Library
- Application Error Disclosure
- Cookie No HttpOnly Flag
- Cookie Without Secure Flag
- Cookie with SameSite Attribute None
- Cookie without SameSite Attribute
- Information Disclosure - Debug Error Messages
- Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
- Server Leaks Version Information via "Server" HTTP Response Header Field
- Strict-Transport-Security Header Not Set
- Timestamp Disclosure - Unix
- X-AspNet-Version Response Header
- X-Content-Type-Options Header Missing
- Authentication Request Identified Informational
- Content-Type Header Missing Informational
- Cookie Poisoning Informational
- Information Disclosure - Sensitive Information in URL Informational
- Information Disclosure - Suspicious Comments Informational
- Loosely Scoped Cookie Informational
- Modern Web Application Informational
- Re-examine Cache-control Directives Informational
- Retrieved from Cache Informational
- Session Management Response Identified Informational
- User Agent Fuzzer Informational
- User Controllable HTML Element Attribute (Potential XSS)
Are we missing anything? Why XSS and SQL injections are not listed?
Thanks & Regards,
Sridatta