Attack mode

[psiinon]

I've just added a new mode to ZAP - attack mode :)
In this mode ZAP will automatically active scan all new nodes that are in scope as they are discovered.
This could be via proxied requests or either of the spiders.
So it wont actually do anything unless you define one or more contexts that are in scope.
Theres a new thread that gets notified of all new nodes added to the sites tree, and if they are in scope then it adds them to a queue of nodes to be attacked.
Theres also a footer count which shows you how many nodes are in the queue.

There are a couple of relevant options (which do have some help text;) but I wont explain them now - if they dont make sense then let me know and I'll see if I can make them clearer.
One of them uses a new dialog that allows you to get ZAP to remember your decision and not be prompted again, so thats also available for other code to use.

Right now it will just use the 'default' scan profile.
However I'm also working on improving the scan profiles, and will introduce a new 'attack scan profile' which will be used for this mode.
This will allow you to tweak exactly what rules get run in this mode independently of the rules that get run at any other time.

At the moment its just labelled as "ATTACK mode" - I'm wondering if we should make it even more obvious, eg by adding a 'flashing light' animated gif, or changing the background or ???

Any questions or issues then let me know..

Simon

[Colm O'Flaherty]

I like it :)  I must have a play.  I'd be slightly concerned that this could cause users to be inadvertently scanning things they don't mean to scan, or things which they don't have permission to scan..  I haven't seen how this works yet, so maybe this isn't an issue though.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[psiinon]

It will only attack nodes that you have defined as being 'in scope'.
But I agree its still a concern, hence my question about 'flashing lights' ;)

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

[kingthorin+owaspzap]

Could we add a small animated GIF to the site tree to indicate which component is currently being scanned. Perhaps with reduced opacity at the trunk branch but fully visible at the active leaf? i.e.: So that it's still indicated whether things are expanded or collapsed..

[psiinon]

Hadnt thought of using the Sites tree - thats a good suggestion.
Not sure how easy it will be to handle collapsed branches, but maybe we dont need to as the user can always expand them if they want?

[kingthorin+owaspzap]

I encounter this issue with other tools all the time. In particular I'm thinking IBM AppScan and exclusions. It doesn't take much of a site to generate a big/complex tree, if you can't see at upper (collapsed) levels where something is going on (being attacked or is excluded) it's a pain to have to navigate a big tree to find it or expand the whole thing and scroll all around.... my 2 cents.

[psiinon]

Good point.
I've started playing with icons in the Sites tree and its shown up a load of issues with my initial implementation :/
I'll fix those and commit the Sites tree icons when they are working.
And I'll see what I can do with collapsed trees as well :)

[thc...@gmail.com]

Hi.

Might the add-on "TreeTools" help a bit with that?

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.

[psiinon]

I've just committed some fixes, and now flag the nodes being scanned in the Sites tree.
Not done anything with the parent nodes yet, but thats on the list..