AJAX Spider Scan not recursing, stuck in loop?

[Larry Menard]

I'm trying to run an AJAX Spider Scan on all pages of our web app, but I'm not seeing the scan following links from the initial page to subsequent pages.

I'm not a Developer, but I can tell you that our app uses a framework called "Angular", and it generates and uses REST API calls to communicate with our backend for loading the various pages etc.

When I launch an AJAX Spider Scan against the URL of our app's initial content page using ZAP, a browser (Firefox) is launched, that initial content page is successfully loaded and I can see the scan start.

I would have expected that the scan would then follow all of the links/buttons on that page, and I would see the other various pages being recursed into.  But what I am actually seeing is:

1) A couple of the buttons on the page are being explored (they briefly pop up some sub-dialogs), but only very few of them, and in a date entry field on that page I can see lots of random text being appended to the default value in that field.

2) Every 15 or so seconds, the browser seems to completely reload that initial content page, and the cycle described above repeats.

This loop goes on for about 45 minutes and then the scan ends.

In all that time I never saw the scan leave that initial content page, and I can find no output anywhere indicating that any of the other various content pages were accessed.

Am I misunderstanding something?  If so, what?

Any pointers would be appreciated.

Thanks.

[Simon Bennetts]

Hi Larry,

Modern web apps can be a complete pain to explore, tbh :/

The ajax spider works by launching a browser and then clicking on elements on the relevant pages.

By default it will only click on "a", "button" and "input" elements.

If your app requires the user to click on other types of elements then you will need to enable those via the AJAX Spider options.

You can enable all elements, but that could then take much longer, so its better to just enable the ones you need.

Cheers,

Simon

[Larry Menard]

   Hi Simon, thanks for the response.

   I've made a tweak to the way I initiate the AJAX spider scan (Instead of launching the scan via the HUD, I do so by expanding "Sites" in the ZAP GUI, right-clicking on "https://192.168.0.5:8443", selecting "Attack..." -> "AJAX Spider...", and setting the Starting Point to "https://192.168.0.5:8443/myapp".

   It still seems to revisit some of the pages several times, but by exporting the contents of the "AJAX Spider" tab into a CSV at the end of the run I can verify that it did visit all of the pages in our app.  I don't really understand exactly what it is doing, but it does look like all pages in our app have been scanned.

[Simon Bennetts]

Thanks for letting us know :)