Active Scan gives different results

[Demetri]

Hello,

new user here.  I had a question about getting different results when doing an Active Scan.

So i' m using Firefox configured as proxy and trying the Active Scan on the login page of our application.  I am noticing that sometimes the Active Scan will result in Alerts like External Redirect, Path Traversal, Remote File Inclusion .. while in other cases those alerts do not show up.  When looking at the scan progress details, it seems that ZAP is sending a different number of requests for each test.

In the case where the alerts get detected, we have 329 requests being sent for Path Traversal and 112 for RFI.  In the case, where the alerts do not get detected we see that ZAP has sent 203 requests for Path Traversal and 80 for RFI. These are seen in the screenshots below.   

I am scanning the same page on the same application,  i am logged in to the application n both cases and using the same ZAP instance .. so i m not sure why the results would be different ?  Can you share some clues as to how ZAP decides how many requests get sent and how deeply the current test will go ? is there some configuration that i need to check ..?? 

[Simon Bennetts]

ZAP should send the same number of requests when active scanning, but only if everything else is the same :)
There are various factors which will affect the number of requests sent:

• The number of rules used - in this case you are using the same ones
• The attack strength - in this case its the same (medium)
• The number of URLs found

Based on the above screenshots I'd definitely start looking at the number of URLs you are scanning.

How are you exploring your application? Using one or both of the ZAP spiders? By proxying manual or automated tests?

My guess is that you are doing something different when exploring your app, or potentially the app is acting in a different way.

To check if you are exploring your app in different ways keep an eye on the Sites tree.
This is ZAPs internal representation of your app, and the more nodes it has the more requests will be sent when scanning.
A node represents the combination of URL, method and parameter names so one url could be represented by lots of nodes in the Sites tree.
We have a simple script that allows you to print out the Sites tree so you can diff different ones: Traverse sites tree.js

Cheers,

Simon

[Demetri]

Thanks Simon !

Indeed I noticed there were more URLs included in the context ( under Sites ) in the Active Scan that executed more requests.  

i m using ZAP as proxy and I had tried to login to our app with wrong password which resulted in error and an additional url ( static...)  being added under Sites.  Then,  when I did the scan, it reported more issues ( RFI, Path traversal etc ) . 

If i don't cause the login error ( ie use the correct password the first time)  and login to the app, and then i do the scan, i do not get the RFI and Path traversal alerts. 

This is a bit strange to me since there really is an RFI issue which i can reproduce manually.  But it only shows up when i cause the login error and accept the certificate from https://static..

I guess it would depend on the application being scanned .. but in general,  it safe to say that the more urls that get added under Sites, the more accurate the results form Active Scan will be ?  

thanks for your help ,

Demetri

[kingthorin+owaspzap]

Absolutely, the more of the app/site that ZAP (or any scanner really) knows about the more complete the results/coverage. Whether that content is discovered by one of the spiders or "taught" by you (proxying), doesn't really matter.