ZAP Automation excludePaths

[Floodeen Tom]

I have these excludePaths in my yaml file:

    excludePaths:
    - "https://accounts.google.com.*"
    - "https://optimizationguide-pa.googleapis.com.*"
    - "https://update.googleapis.com.*"
    - "https://www.java.com.*"

Yet when the report runs after the scans, It states this:

Sites

The following sites were included:

• https://optimizationguide-pa.googleapis.com
• https://www.java.com
• https://accounts.google.com

How do I get these sites to not show up in the report when running in automatioin?

Thanks,

-Tom

[Simon Bennetts]

Hiya Tom,

Which report are you using?

Are there any alerts from those sites actually included in the report?

Cheers,

Simon

[Aakash Gupta]

did you update the yaml file directly or via UI? you may not be exporting the context after excluding certain URLs.

[Floodeen Tom]

Below is the report section of my yaml file. It looks like  risk-confidence-html is used. I don't actually see any alerts from these sites.

I added the excludes to the context in the GUI before creating the Automation script. They were then saved in the contexts section of the yaml file.

env:
  contexts:
  - name: "TestAutomation"
    urls:
    - "http://myurl.mentorg.com:8080"
    includePaths:
    - "http://myurl.mentorg.com:8080.*"

    excludePaths:
    - "https://accounts.google.com.*"
    - "https://optimizationguide-pa.googleapis.com.*"
    - "https://update.googleapis.com.*"
    - "https://www.java.com.*"

    authentication:
      method: "script"
      parameters:
        script: "C:\\Users\\username\\OWASP ZAP\\scripts\\scripts\\authentication\\ZEST_KRB_Auth.zst"
        scriptEngine: "Mozilla Zest"
        LoginURL: "http:// myurl.mentorg.com:8080/SecAuth"
      verification:
        method: "response"
        pollFrequency: 60
        pollUnits: "requests"
        pollUrl: ""
        pollPostData: ""
    sessionManagement:
      method: "cookie"
      parameters: {}
  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true
  vars: {}

- parameters:
    template: "risk-confidence-html"
    theme: "original"
    reportDir: "C:\\Tools\\OWASP_ZAP\\reports"
    reportFile: ""
    reportTitle: "Server ZAP Scanning Report"
    reportDescription: ""
    displayReport: false
  risks:
  - "info"
  - "low"
  - "medium"
  - "high"
  confidences:
  - "falsepositive"
  - "low"
  - "medium"
  - "high"
  - "confirmed"
  sections:
  - "siteRiskCounts"
  - "responseBody"
  - "appendix"
  - "alertTypes"
  - "responseHeader"
  - "alertTypeCounts"
  - "riskConfidenceCounts"
  - "alerts"
  - "aboutThisReport"
  - "contents"
  - "requestBody"
  - "reportDescription"
  - "reportParameters"
  - "requestHeader"
  - "summaries"
  name: "report"
  type: "report"