Proxying and scanning Vaadin based web application
172 views
Skip to first unread message
Andreas Falk
Mar 11, 2015, 3:27:40 PM3/11/15
to zaprox...@googlegroups.com
I am currently trying automatic security scanning of an application implemented using Vaadin framework (which is based on GWT with mainly server side extensions).
I am following the wiki entry for regression testing with ZAP.
But during proxying the requests of the Vaadin application in ZAP only one URL entry is shown.
Is there a way to configure ZAP to detect the different pages of a vaadin application as different URL entries, so that these can be scanned afterwards?
Thanks.
I am following the wiki entry for regression testing with ZAP.
But during proxying the requests of the Vaadin application in ZAP only one URL entry is shown.
Is there a way to configure ZAP to detect the different pages of a vaadin application as different URL entries, so that these can be scanned afterwards?
Thanks.
kingthorin+owaspzap
Mar 11, 2015, 3:57:51 PM3/11/15
to zaprox...@googlegroups.com
What version of ZAP are you using?
Andreas Falk
Mar 11, 2015, 4:46:27 PM3/11/15
to zaprox...@googlegroups.com
I am using latest released version 2.3.1 of ZAP
I did not try weekly version as I have not seen any information hinting that anything has changed regarding gwt/vaadin support.
Simon Bennetts
Mar 12, 2015, 6:25:34 AM3/12/15
to zaprox...@googlegroups.com
Hi Andreas,
It sounds like Vaadin is whats known as a "single page application".
In other words instead of having urls like:
Cheers,
Simon
It sounds like Vaadin is whats known as a "single page application".
In other words instead of having urls like:
it has urls like:
- https://www.example.com/home&page=page1
- https://www.example.com/home&page=page2
- https://www.example.com/home&page=page3
is that correct?
By default ZAP build up its model of an application using the 'standard' url pattern, ie the structure is denoted by slashes.
So in the first case we have 3 pages (page1, page2 and page3) but in the second case we just have one (home) with 3 different parameter values.
However you can configure ZAP to understand that the 'page' parameter is part of the application structure by:
- Adding your application to a context
- Opening the Session Properties dialog and navigating to the 'Structure' panel for that context
- Adding the relevant parameter(s) to the list of "Structural Parameters"
You should then see that the Sites tree changes from something like:
- https://www.example.com
- GET home(page)
To something more like:
- https://www.example.com
- home
- page
- GET page1
- GET page2
- GET page3
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages