Scan tab UI changes

[psiinon]

I'd like to make some changes to the 'scan' tabs for 2.4.0, which includes the Active Scan, Spider, Forced Browse tabs.

The first pic shows the current Active Scan tab.
The main problem is that it only allows you to start a scan of a full site. To scan contexts, subtrees and URLs you have to use the right click menus. Its also not _that_ obvious how to start a new scan.

The second pic is a mockup of how it could appear.
The changes are:

• The 'Scan policy...' button is moved to the far left
• The 'New Scan' button replaces the 'Start Active Scan' button and will bring up a dialog, probably based on the 'Advanced Scan' dialog (more on that later;)
• The 'Progress' pulldown just shows a list of the Contexts / Sites / Urls that have been or are being scanned, probably displayed like:
• Site: http://localhost:8080
• URL: http://localhost:8080/someurl
• Subtree: http://localhost:8080/dir
• All In Scope
• The 'Current Scans' count is dropped (as its also in the footer)

The intention is to make it easier to start any sort of scan from this toolbar, and to separate the concepts of starting a scan and getting the progress / results of existing scans.

I've got a set of related changes planned, but I dont want to divert attention from the UI changes, which always tend to be the most controversial things!

Feedback asap please!

Simon

[kingthorin+owaspzap]

I like the idea.

Here's my two cents:

1. The drop down isn't "progress" it's more like "target" or 'scanee'....
   
2. If the items in the drop down have or are being scanned then how/when do you define what the target of a scan is? (i.e.: how are things added to that list?) [Will that be in the "New Scan" dialog? Is that only done via the site tree/history context menus?] I guess I'm kind of wondering what the workflow is...
   
3. The mock up doesn't seem to have a start/play button...
   
4. I know you said it's a mockup but I can't help myself. The mocked up shot says "are are being", I think you wanted "or are being".
   

[psiinon]

So heres a mockup of how the "New Scan" dialog _could_ look.
There are only 2 changes from the current Advanced Active Scan dialog:

• The 'Select Node' popup shows Contexts and allows you to select them.
• By default all of the tabs would be disabled until you check the 'Advanced' option.

Other changes could include choosing the policy from a pull down list of known policies.

Is this too complex?

Any other feedback?

Cheers,

Simon

[kingthorin+owaspzap]

Of course I think of one more thing as soon as I hit "Post".

5. For my 2cents I'd rather see the active scan count in this area than the number of requests. So I'd suggest moving the "Num requests:" to the footer while keeping the "Current scans:" up by the progress meter.

[psiinon]

Ha!
You just beat me to it ;)

Does the dialog mockup I've just posted make it any clearer?

[kingthorin+owaspzap]

The "New Scan" dialog mock up looks good too.

My only question is would we somehow allow multi-select in this dialog? If we do would we just create a new context based on that? i.e.: said I control+click 'test' and 'www.google.co.uk' would we then popup another dialog like "New Context" and allow the user to input a name for a context which represents those two items?

[kingthorin+owaspzap]

Ya that knocks #2 off my list.

[psiinon]

The 'Number of Requests' is currently associated with the scan selected, so it cant be moved to the footer as is. We could make it the total requests for all scans and move it there, but I dont think thats very useful :(
I was trying to reduce the amount of info displayed in the toolbar, as I'm aware some people dont have huge monitors, but if people want that there as well..

[psiinon]

Thats a start then :)

1. Yeah, I'm not convinced about 'Progress', but 'Target' and 'Scanee' dont seem to work either :/
Its the way people can get the progress of existing scans and previous results.
Any other suggestions?

2. Addressed :)

3. Hopefully also addressed - the 'New Scan' dialog brings up the 'Active Scan' dialog which has a 'Start Scan' button.

4. Yeah, ok, but that text wont be in the 'working' version as it will be a list of current / previous scans ;)

[psiinon]

Maybe "Current Scans:" or even just "Scans:" ?

Or ... "X Active Scans: [ pulldown]" where X is the number of active scans?
Although the pulldown will list the inactive ones as well :/

[kingthorin+owaspzap]

I'd go with just generic "Scans:". Perhaps we could also group the drop down completed and underway or something.

The 'Number of Requests' is currently associated with the scan selected, so it cant be moved to the footer as is. We could make it the total requests for all scans and move it there, but I dont think thats very useful :(
I was trying to reduce the amount of info displayed in the toolbar, as I'm aware some people dont have huge monitors, but if people want that there as well..

Based on this I'd say stick with your original plan.

[psiinon]

Right now it wont support multi-select.
We _could_ support the creation of Contexts this way, but I'm a bit concerned about the 'stack' of popups:

• Active Scan Dialog
• Select Node Dialog
• New Context Dialog

Or do people think thats ok?

However ... (thinking as I type) ...

Not that many users seem to make use of Contexts, possibly due to the fact they are only accessible via Right Click menus.

We could introduce a "New Context" dialog which can be invoked from the Select Node dialog, the toolbar, the toplevel menu, which allows you to create (and edit?) contexts.

We'd probably need to use the "Select Node" dialog so would have to be sure we cant get into 'UI loops' ;)

I've also wondered about a 'Contexts' tab next to the 'Sites' tab - that could be another place for a 'new Context' button.

Just a thought..

[psiinon]

I've checked in the first set of changes to support this enhancement.

It wont look like a huge change, but there are actually a lot of changes underneath the covers ;)
One advantage of the restructuring is that the UI for Active Scans now reflects actions performed by the API, so you can see scans started by the API, pause, resume and stop them.

The 'New Scan' button launches the 'Advanced Active Scan' dialog - not sure if thats too complex for beginners?
Should we start with a simpler dialog and have an option to switch to the advanced one?

Note that the code doesnt support scanning contexts or everything in scope yet - thats one of the next sets of changes I want to make.
I also want to change the other scan tabs (both spiders, brute force, port scan..) to follow the same format.

All feedback appreciated, and let me know asap if you hit any problems with it.

Simon

On Tuesday, 2 September 2014 11:56:59 UTC+1, psiinon wrote:

[psiinon]

I've just checked in the change to support active scanning of contexts and 'everything in scope'.
Just in time for the weekly release ;)

[psiinon]

I've now changed the Spider tab as well.
As part of these changes there is only 1 right click option for each of scanning and spidering: "Active Scan..." and "Spider..."
These bring up the respective dialogs, so act in exactly the same way as the 'New Scan' buttons.
Both dialogs have one 'basic' pane which includes a checkbox "Show advanced options' - if you select that then 1 or more 'advanced' tabs are shown.

Have a play and let me know what you think :)

[kingthorin+owaspzap]

For the "Input Vectors" tab would it be possible to add a "All On"/"All Off" checkbox along with the two headings?

That could make the user experience better under certain circumstances.

[kingthorin+owaspzap]

Also if you just goto the Active Scan tab and hit "New Scan" it would be nice if you could paste a URL instead of being forced to use the Select button.......hmmm now that I've typed that I kind of feel like you may have already mentioned something about that, but I can't put my finger on it.

[psiinon]

I like this idea :)

[psiinon]

Could do.
But as this is just for active scanning then if ZAP doesnt know about the url then we'll have to show an error.
We allow it in the Quick Start attack field because that does a spider first.
Note that if you use the right click attack menu then the node if put in for you..

Simon

[kingthorin+owaspzap]

Ok, that's seems fair.

[psiinon]

Now implemented :)