Do I need/can configure Passive Scan Rules for AjaxSpider?
152 views
Skip to first unread message
JWeb Dev
Mar 11, 2023, 7:39:17 AM3/11/23
to OWASP ZAP User Group
Hello OWASP Community,
I've been reading the documentation for hours now and trying to figure it out.
Please tell me. If I want to run an AjaxSpider. Do I need to set "passive scan rules"? Do they have any effect on AjaxSpider scanning?
In the simple spider scannong I did like this. api.pscan.enableScanners(ids).
Do I also need to enable passive scan rules before running AjaxSpider? Hope my question is clear.
Thanks!
thc...@gmail.com
Mar 11, 2023, 8:21:36 AM3/11/23
to zaprox...@googlegroups.com
Hi.
The passive scan happens by default you don't need to do extra
configurations for the messages of the standard spider and AJAX Spider
to be passive scanned:
https://www.zaproxy.org/docs/desktop/start/features/pscan/
The rules are enabled by default too.
Best regards.
On 11/03/2023 12:39, JWeb Dev wrote:
> Hello OWASP Community,
>
> I've been reading the documentation for hours now and trying to figure it
> out.
>
> Please tell me. If I want to run an AjaxSpider. Do I need to set "passive
> scan rules"? Do they have any effect on AjaxSpider scanning?
>
> In the simple spider scannong I did like this.
> *api.pscan.enableScanners(ids)*.
The passive scan happens by default you don't need to do extra
configurations for the messages of the standard spider and AJAX Spider
to be passive scanned:
https://www.zaproxy.org/docs/desktop/start/features/pscan/
The rules are enabled by default too.
Best regards.
On 11/03/2023 12:39, JWeb Dev wrote:
> Hello OWASP Community,
>
> I've been reading the documentation for hours now and trying to figure it
> out.
>
> Please tell me. If I want to run an AjaxSpider. Do I need to set "passive
> scan rules"? Do they have any effect on AjaxSpider scanning?
>
> In the simple spider scannong I did like this.
JWeb Dev
Mar 11, 2023, 8:57:15 AM3/11/23
to OWASP ZAP User Group
Hi thc202,
I don't need all the passive scanners. I want to disable some. Did I understand you correctly that if I configure them in the same way as I did in the passive scanner, they will have an impact?Thanks
Muhammad Zubair
Mar 13, 2023, 2:13:36 AM3/13/23
to OWASP ZAP User Group
If you want to run an AjaxSpider with ZAP (Zed Attack Proxy), you do not need to explicitly set "passive scan rules" before running the AjaxSpider.
Passive scan rules are enabled by default in ZAP, and they will automatically be applied to the requests generated by the AjaxSpider. Therefore, you do not need to take any additional steps to enable passive scan rules specifically for AjaxSpider scanning.
However, you can customize which passive scan rules are applied by modifying the "Scan Policy" in the ZAP options. The Scan Policy allows you to enable or disable specific passive scan rules, so you can tailor the scanning to your specific needs.
To run an AjaxSpider in ZAP, you can use the following code:
python
Copy code
# Import the ZAP API client
from zapv2 import ZAPv2
# Create a ZAP API client
zap = ZAPv2()
# Start the AjaxSpider
zap.ajaxSpider.scan('http://example.com')
This will start the AjaxSpider scanning the specified target URL. If you want to enable specific scanners during the AjaxSpider scan, you can use the api.pscan.enableScanners(ids) method that you mentioned in your question. However, as mentioned above, you do not need to enable passive scan rules specifically for AjaxSpider scanning, as they are enabled by default.
Passive scan rules are enabled by default in ZAP, and they will automatically be applied to the requests generated by the AjaxSpider. Therefore, you do not need to take any additional steps to enable passive scan rules specifically for AjaxSpider scanning.
However, you can customize which passive scan rules are applied by modifying the "Scan Policy" in the ZAP options. The Scan Policy allows you to enable or disable specific passive scan rules, so you can tailor the scanning to your specific needs.
To run an AjaxSpider in ZAP, you can use the following code:
python
Copy code
# Import the ZAP API client
from zapv2 import ZAPv2
# Create a ZAP API client
zap = ZAPv2()
# Start the AjaxSpider
zap.ajaxSpider.scan('http://example.com')
This will start the AjaxSpider scanning the specified target URL. If you want to enable specific scanners during the AjaxSpider scan, you can use the api.pscan.enableScanners(ids) method that you mentioned in your question. However, as mentioned above, you do not need to enable passive scan rules specifically for AjaxSpider scanning, as they are enabled by default.
JWeb Dev
Mar 13, 2023, 3:21:54 AM3/13/23
to OWASP ZAP User Group
Hi. thanks for a good explanation. This is exactly what I want to understand. Seems to understand. The fact is that, I want to configure which passive scan rules to use when scanning with AjaxSpeeder. I'm using api, and it's better for me if I set the rules that I myself will mark, and not use different policies. Thank you!
Muhammad Zubair
Mar 13, 2023, 4:01:10 AM3/13/23
to OWASP ZAP User Group
Keep smiling
thc...@gmail.com
Mar 13, 2023, 7:14:01 AM3/13/23
to zaprox...@googlegroups.com
You should call `disableAllScanners` before calling `enableScanners`,
the one you mentioned only enables the specified ones it does not
automatically disable the others.
https://www.zaproxy.org/docs/api/#pscanactiondisableallscanners
Best regards.
the one you mentioned only enables the specified ones it does not
automatically disable the others.
https://www.zaproxy.org/docs/api/#pscanactiondisableallscanners
Best regards.
JWeb Dev
Mar 13, 2023, 7:22:15 AM3/13/23
to OWASP ZAP User Group
Thanks. I do exactly this.
disableAllScanners and then put only needed.
Reply all
Reply to author
Forward
0 new messages