Filtering out Active scans URL

[ngu...@tk20.com]

Hi All, i am a newbie to ZAP,I have recorded my applications URL and doing active scan for it.But my problem is in active scan it sends request to every .js and .css files.

Is there any way so that i can filter out these URL so that active scan could only send request to the intended pages only not on all the css,js files.

Any help would be greatly appreciated.

[thc...@gmail.com]

Hi.

It's possible to exclude URLs from the active scan using the "Exclude
from scanner" panel (in "Session Properties dialog"). [1]


[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsSessionSessprop

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[ngu...@tk20.com]

Hi,

Thanks for the quick reply ,i have seen the above link

https://testing5.tk20.com/campustoolshighered/css/7576241595533710273

i want to filter out these kind of links having css in between them,and i tried to make regex from the link you provided as :-

 \Q*\css+*\E

and was not able to filter out results.

could you please help me out in making regex for these kind of links

[thc...@gmail.com]

Hi.

To exclude those you can use:
.+/css/.+

At least one char before and after "/css/", which matches the type of
links of the example provided.
(it's not necessary to quote "/css/" since it does not have any special
regex character).

Best regards.

[ngu...@tk20.com]

HI,I tried it out also but not working for me.it still shows that link is included in active scan

[thc...@gmail.com]

Is the URL still showing in the "Active Scan" tab?

Which ZAP version are you using?


Best regards.

On 20/11/15 11:29, ngu...@tk20.com wrote:
> HI,I tried it out also but not working for me.it still shows that link
> is included in active scan
>

[ngu...@tk20.com]

i am using latest version of ZAP 2.4.2

[thc...@gmail.com]

Strange, if I use that regex and scan that URL I see it being excluded:
URL excluded:
https://testing5.tk20.com/campustoolshighered/css/7576241595533710273
Regex: .+/css/.+

Are the URLs that you are trying to exclude similar to the above?

Best regards.

On 20/11/15 14:17, ngu...@tk20.com wrote:
>
> i am using latest version of ZAP 2.4.2
>

[ngu...@tk20.com]

Hi,

i think i am doing wrong input steps ..please correct me in input steps:-

1)-Go to the Tools tab

2)Select options menu

3)select Active scan input vectors

4)click add button to add paameter

Name:-give it a name say(exclude_css)

Where:-URL

URL:-+/css/.+(regex)

and click on add button and then OK

and now when i am doing active scan it request several css and js that are present on the application

you can see that in image for you refrence.

[thc...@gmail.com]

Hi.

That option is to exclude input vectors, not the URLs being attacked.
To exclude the URLs from the active scanner you need to add them to
"Exclude from Scanner" panel in "Session Properties" dialogue ("File" >
"Session Properties...").

Best regards.

On 21/11/15 18:38, ngu...@tk20.com wrote:
> Hi,
>
>
> i think i am doing wrong input steps ..please correct me in input steps:-
>
> 1)-Go to the Tools tab
> 2)Select options menu
> 3)select Active scan input vectors
> 4)click add button to add paameter
>
> Name:-give it a name say(exclude_css)
> Where:-URL
> URL:-+/css/.+(regex)
> and click on add button and then OK
>

> <https://lh3.googleusercontent.com/-OzhDHUGYxvg/VlC5bsWHfHI/AAAAAAAAAAM/Xq6kowfgTDA/s1600/css_image.png>

>
> and now when i am doing active scan it request several css and js that
> are present on the application
> you can see that in image for you refrence.
>
>

[ngu...@tk20.com]

Hi,

I have filter out the active scan request

Thanks for your time and effort.much appreciated.