Hi Simon! New ZAP AF scan (GUI) vs ZAP Container packaged full scan

[Khopithan Sathiyakeerthy]

Hi Simon,

I tried that new AF scan in ZAP (GUI). It is quiet simple and better than typical AF scan and the new AF scan found more vulnerabilities than the old one. Thank you for this new feature.

The new generated report was quiet informative than the old report but the UI was not much that good to see long time and without those additional .js and .css file, it was hard to read it. I hope this would be fix in future releases.

And I have two vulnerability report from Full packaged scan and new AF scan. Full packaged scan found more vulnerabilities than the new AF scan.

ZAP full packaged scan

docker run -v $(pwd)/zap-report:/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t http://example.com/myapp -j -a -r report-stable-fullscan.html 

new ZAP AF scan (GUI)

generated .yml file from this scan

---

env:

  contexts:

  - name: "myapp"

    urls:

    - "http://example.com/myapp"

    includePaths: []

    excludePaths: []

  parameters:

    failOnError: true

    failOnWarning: false

    progressToStdout: true

  vars: {}

jobs:

- parameters:

    updateAddOns: true

  name: "addOns"

  type: "addOns"

- parameters:

    scanOnlyInScope: true

    enableTags: false

  rules: []

  name: "passiveScan-config"

  type: "passiveScan-config"

- parameters: {}

  name: "spider"

  type: "spider"

  tests:

  - onFail: "INFO"

    statistic: "automation.spider.urls.added"

    operator: ">="

    value: 100

    name: "At least 100 URLs found"

    type: "stats"

- parameters: {}

  name: "spiderAjax"

  type: "spiderAjax"

  tests:

  - onFail: "INFO"

    statistic: "spiderAjax.urls.added"

    operator: ">="

    value: 100

    name: "At least 100 URLs found"

    type: "stats"

- parameters: {}

  name: "passiveScan-wait"

  type: "passiveScan-wait"

- parameters: {}

  policyDefinition:

    rules: []

  name: "activeScan"

  type: "activeScan"

- parameters:

    template: "modern"

    reportDir: "C:\\Users\\Administrator"

  name: "report"

  type: "report"

So, what is the difference between these two scan?

new AF scan took around 3-5 minutes to complete the scan but full packaged scan took around 2.75 hours to complete the scan. Why?

Can I use the generated .yml file from new AF scan in cmd (like old AF scan) for the automation purpose?

Regards,

Khopi

[Simon Bennetts]

Hi Khopi,

The new generated report was quiet informative than the old report but the UI was not much that good to see long time and without those additional .js and .css file, it was hard to read it. I hope this would be fix in future releases.

Can you explain what you mean by this?

I'm not aware of any issues here so there are no plans to fix anything.

No idea, but it implies the new AF scan did not work as expected.

Run the AF plan in the GUI.

How many URLs does it discover?

Which active scan rules are used?

 

Can I use the generated .yml file from new AF scan in cmd (like old AF scan) for the automation purpose?

Yes, thats the whole idea.

Cheers,

Simon

 

Regards,

Khopi

[Khopithan Sathiyakeerthy]

Hi Simon,

1) When I open the generated html report with the generated directory (which has all the .css and js file related to generated html report). I mean both should be in same path. Then there is no problem. The report will be look as we expected.

But if I move the generated report to somewhere without that directory (I mean the .js and .css) file and open the report, it will be look like,

It is not that much big issue. It is web development related things. If the report generated in pdf format, then there won't be any issue. That's why I told like that.

2) I scanned two different applications with both new ZAP AF (GUI) and ZAP Container packaged full scan. I got the same results like packaged scan found more vulnerabilities than new ZAP AF scan. And I did this for multiple time.

3) In new ZAP AF scan, I didn't configure much more than you explained. Actually, I installed alpha active scan addon but when I configure AF rule for full scan, I didn't see any alpha active scan in new AF full scan jobs

Regards,

Khopi 

[Simon Bennetts]

On Thursday, 19 August 2021 at 09:50:40 UTC+2 khopith...@gmail.com wrote:

Hi Simon,

1) When I open the generated html report with the generated directory (which has all the .css and js file related to generated html report). I mean both should be in same path. Then there is no problem. The report will be look as we expected.

But if I move the generated report to somewhere without that directory (I mean the .js and .css) file and open the report, it will be look like,

Well thats easy enough - if you move the generateds report then move the directory as well!

Thats just the same as when you save an HTML page from your browser, so its working as expected.

 

It is not that much big issue. It is web development related things. If the report generated in pdf format, then there won't be any issue. That's why I told like that.

If you want a pdf report then select a pdf report - the AF supports those as well :P

 

2) I scanned two different applications with both new ZAP AF (GUI) and ZAP Container packaged full scan. I got the same results like packaged scan found more vulnerabilities than new ZAP AF scan. And I did this for multiple time.

3) In new ZAP AF scan, I didn't configure much more than you explained. Actually, I installed alpha active scan addon but when I configure AF rule for full scan, I didn't see any alpha active scan in new AF full scan jobs

If you answer my previous questions then we might be able to help you more.

Cheers,

Simon

[Khopithan Sathiyakeerthy]

It found 88 URLs

Regards,

Khopi

[Simon Bennetts]

Now look at the Active Scan tab and click on the "Show scan progress details" button - can you see which rules ran and how long they took?