Passive scanner doesn't run when doing Active Scan

[Klaus Oswald]

Hello,

I'm new to creating my own script and as I was trying it on a website, I noticed that after running the script, the passive scan did not run.

Is this normal? How can I make the passive scan run on my Active scan traffic?

Thank you

[Klaus Oswald]

Additional Context on what I was doing.

I've noticed that the site has a Cross-Domain Misconfiguration Alert passive rule, so I deleted the alert and run my python script. After the script finishes its task, the passive scan did not alert the Cross-Domain Misconfiguration although I can see it on the response.

[kingthorin+owaspzap]

> I'm new to creating my own script and as I was trying it on a website

Your own script for what? The posts seems to suggest either a passive or active scan rule, but maybe not.... Really not clear.

So there's a bunch of things here.

First, yes passive != active. As you can learn any number of places (the Getting Started guide, ZAP's help, numerous blogs etc.) passive scan rules (and scripts) run on Proxied and Spidered traffic (optionally on Fuzzed traffic).

Active scan scripts run during .... you guessed it .... Active Scan.

Neither of those script types are user runnable, which makes your second post very confusing. "... so I deleted the alert and run my python script "

Maybe you meant a ci or automation script all along, but we have no idea. Anyway the answer to your question "Is this normal?" seems to be yes, based on certain assumptions.

[thc...@gmail.com]

Worth noting that passive script scan rules (and Java for that matter)
can opt-in to scan any history type, not just proxied/spidered.

Best regards.

On 11/09/2022 23:27, kingthorin+owaspzap wrote:
>> *I'm new to creating my own script and as I was trying it on a website *

>
> Your own script for what? The posts seems to suggest either a passive or
> active scan rule, but maybe not.... Really not clear.
>
> So there's a bunch of things here.
>
> First, yes passive != active. As you can learn any number of places (the
> Getting Started guide, ZAP's help, numerous blogs etc.) passive scan rules
> (and scripts) run on Proxied and Spidered traffic (optionally on Fuzzed
> traffic).
> Active scan scripts run during .... you guessed it .... Active Scan.
>
> Neither of those script types are user runnable, which makes your second

> post very confusing. "*... so I deleted the alert and run my python script *

> "
>
> Maybe you meant a ci or automation script all along, but we have no idea.

> Anyway the answer to your question "*Is this normal?*" seems to be yes,

[Klaus Oswald]

Hello kingthorin,

Yea I've noticed that my question was somewhat vague.

What I meant was that I created an active scan script using Jython. After I created the active scan script, I tried to test it by running it on a test website. The script itself does not contain the raiseAlert() function so that it won't raise an alert rather it was created to modify the parameter as well as the HTTP method.

What my question was that the response that I got from running the Active scan did not trigger the passive scan rules. The response contains a header called allow-access-control-origin: *, which should have triggered the passive rule (Cross-Domain Misconfiguration), so I was wondering whether this was normal and was hoping how to run the passive scan rules on my active scan responses.

[kingthorin+owaspzap]

For performance reasons passive scan rules don't run against active scan traffic.

[kingthorin+owaspzap]

If you've created an Active Scan rule you can  (and should) analyze the response after you've sent your manipulated request in order to raise an Alert (assuming the vulnerable condition is encountered).

[Klaus Oswald]

Yea, sadly I think that's the only way I can raise an alert. I was hoping not to code my own alert and just use the passive scanner to reduce redundancy.

Thank you kingthorin, I appreciate your help.