Not able to fetch stats using hook

31 views
Skip to first unread message

Nithin A

unread,
Sep 28, 2021, 12:52:33β€―PM9/28/21
to OWASP ZAP User Group
I am not able to get stats related to authentication. I see that the hook file is identified but the stats are not shown.Β 
a.JPG

Scan hook used is,
def zap_pre_shutdown(zap):
print("Hook Identified")
print(zap.stats.site_stats("http://testphp.vulnweb.com/", "stats.auth"))

Kindly assist.

Simon Bennetts

unread,
Sep 28, 2021, 12:58:39β€―PM9/28/21
to OWASP ZAP User Group
It looks like it is working.
see the [{}] - those are the stats, ie there arent any.
This implies you are not performing an authenticated scan.
Can you post the command you are using to launch ZAP here?

Cheers,

Simon

Nithin A

unread,
Sep 28, 2021, 1:01:21β€―PM9/28/21
to OWASP ZAP User Group
2.JPG

Nithin A

unread,
Sep 28, 2021, 1:04:02β€―PM9/28/21
to OWASP ZAP User Group
Also I was hoping it will show count as zero if it not getting authenticated or if it's not an authenticated scan.

Regards,

Simon Bennetts

unread,
Sep 29, 2021, 4:34:38β€―AM9/29/21
to OWASP ZAP User Group
The infrastruction does not know what stats the code will try to collect.
So no stats mean the same thing as zeros :)
However the fact that you're not getting any of the stats.auth.state.* stats is a clear indication that ZAP is not trying to run an authenticated scan.

Nithin A

unread,
Sep 29, 2021, 4:46:35β€―AM9/29/21
to zaprox...@googlegroups.com
Hi Simon thanks for the response.
Can you please tell what is wrong with the instructions. I have defined the context and I'm also able to see different results for scans with and without context files.
Only thing is I'm not able to fetch the stats.

Kindly assist

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/9pw28foT30w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/66162715-4255-4536-8d65-9969e1e42c04n%40googlegroups.com.

Simon Bennetts

unread,
Sep 29, 2021, 5:34:39β€―AM9/29/21
to OWASP ZAP User Group
You are only specifying the context file, that doesnt trigger an authenticated scan.
As per https://www.zaproxy.org/docs/docker/full-scan/ you must specify the "-U user" param where the user is one thats defined in the context.

Cheers,

Simon

Nithin A

unread,
Sep 29, 2021, 5:36:49β€―AM9/29/21
to zaprox...@googlegroups.com
Thanks Very much πŸ‘πŸΌπŸ™‚

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/1d625477-71e5-40e7-bc94-0584f64a51a1n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages