Exclude unused SQL engines

44 views
Skip to first unread message

Slime Diallo

unread,
Apr 16, 2020, 3:48:59 PM4/16/20
to OWASP ZAP User Group
I defined in my context to want to exclude certain Database, (All except MySQL) My configuration file for my context clearly indicates <exclude>, however these DBs are scanned during my tests. Do you know what other parameters need to be specified to avoid these scans during tests?

Screen Shot 2020-04-16 at 3.02.06 PM.png

Screen Shot 2020-04-16 at 3.47.21 PM.png



thc...@gmail.com

unread,
Apr 16, 2020, 4:11:27 PM4/16/20
to zaprox...@googlegroups.com
Hi.

Could you provide more details? How are you starting the scan?


P.S. We are still there if you want to chat :)

Best regards.

Slime D.

unread,
Apr 16, 2020, 4:28:51 PM4/16/20
to OWASP ZAP User Group
Hey, Sure.

I use A Jenkins job which trigger and execute my ZAP scan once a month in a Aws S3 bucket which contains context and sessions files of my Zap server.
The file which contains these Include or Exclude Databases Scans are in "mycompany.context" file. Even with the DB parameter unticked and the mention <exclude> in the context config file, this one is still scanned thing that i want to avoid.

thc...@gmail.com

unread,
Apr 16, 2020, 4:48:55 PM4/16/20
to zaprox...@googlegroups.com
But how is ZAP/active scan started specifically? Are you specifying the
context?

btw, are you using ZAP 2.9.0?

Best regards.

Slime D.

unread,
Apr 17, 2020, 11:21:05 AM4/17/20
to OWASP ZAP User Group
Yes, the context is specified. at the beginning of the context file you can see these lines 

        <tech>
            <include>Db.MySQL</include>
            <include>Language.PHP</include>
            <include>OS.Linux</include>
            <include>SCM.Git</include>
            <exclude>Db</exclude>
            <exclude>Db.CouchDB</exclude>
            <exclude>Db.Firebird</exclude>
            <exclude>Db.HypersonicSQL</exclude>
            <exclude>Db.IBM DB2</exclude>
            <exclude>Db.Microsoft Access</exclude>
            <exclude>Db.Microsoft SQL Server</exclude>
            <exclude>Db.MongoDB</exclude>
            <exclude>Db.Oracle</exclude>
            <exclude>Db.PostgreSQL</exclude>
            <exclude>Db.SAP MaxDB</exclude>

But even exclude the scan include for example MongoDB or SQL Server which i don't want. Yes i'm using the last ZAP 2.9.0
That's why i don't understand..

kingthorin+owaspzap

unread,
Apr 17, 2020, 12:12:58 PM4/17/20
to OWASP ZAP User Group
Did you specify the context as the target for the scan? (Versus a URL)

Slime D.

unread,
Apr 17, 2020, 3:25:44 PM4/17/20
to OWASP ZAP User Group
Yes, if i refer to the line between <incregexes> does that mean that my context in not normally used ?

Screen Shot 2020-04-17 at 3.21.46 PM.png

thc...@gmail.com

unread,
Apr 17, 2020, 4:03:39 PM4/17/20
to zaprox...@googlegroups.com
Correct, you need to start the scan specifying the context you want used.

Best regards.

kingthorin+owaspzap

unread,
Apr 17, 2020, 7:35:03 PM4/17/20
to OWASP ZAP User Group
The target of the scan needs to actually be the context not simply a URL included in the context.

Slime D.

unread,
Apr 20, 2020, 6:23:07 PM4/20/20
to OWASP ZAP User Group
Replaced the URL target by the name of context. Unfortunately i excluded SQLInjections "SQLite" but it's still in reports

thc...@gmail.com

unread,
Apr 20, 2020, 7:06:11 PM4/20/20
to zaprox...@googlegroups.com
The context name is a different parameter of the endpoint.

Best regards.
Reply all
Reply to author
Forward
0 new messages