Attack Mode: can ZAP first wait 5 minutes?

45 views
Skip to first unread message

qs.a...@gmail.com

unread,
May 17, 2021, 3:44:00 AM5/17/21
to OWASP ZAP User Group
Hello, 

we use our Selenium tests for scanning and we use attack mode for having the right order. Problem is: the Selenium test creates e.g. 3 data sets, and later counts if there are 3. But meanwhile ZAP injected some more data sets by trying its attacks, so the selenium test fails and stops. A solution could be to make ZAP wait 5 minutes before it starts attacking. Does this option exist?

Simon Bennetts

unread,
May 17, 2021, 4:23:47 AM5/17/21
to OWASP ZAP User Group
Not intentionally :)
However you could try something nasty like setting the Active Scan "Delay When Scanning (In Milliseconds)" to 5 mins (which would mean a 5 min wait inbetween _every_ request) and then after 5 mins unsetting it again. I'm not sure if that will be applied dynamically but its worth a try...

Attacking an app while unit tests are running is likely to break the unit tests.
My recommendation is to run the unit tests as tests on there own, then run them again with ZAP Attack mode on but ignoring failures, if you can do that.

Cheers,

Simon

Rahul Kojrekar

unread,
May 17, 2021, 4:58:40 AM5/17/21
to zaprox...@googlegroups.com
Hello,

How are you initiating attack mode after selenium scripts runs?

Regards,
Rahul Kojrekar

On May 17, 2021, at 1:23 AM, Simon Bennetts <psi...@gmail.com> wrote:


--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/24de28bb-a3ba-4d46-ae1e-b770d16e0ad3n%40googlegroups.com.

Simon Bennetts

unread,
May 17, 2021, 5:06:53 AM5/17/21
to OWASP ZAP User Group
Good thinking, but I'm pretty sure that if you turn on Attack mode later then ZAP will just traverse the Sites tree in order to attack the existing URLs.
So it wont attack them in the order they were made, which was the requirement I believe.

qs.a...@gmail.com

unread,
May 17, 2021, 8:26:02 AM5/17/21
to OWASP ZAP User Group
First I initiate attack mode in ZAP and then I start our selenium test. I think that's the way attack mode is meant to work.

qs.a...@gmail.com

unread,
May 18, 2021, 6:16:22 AM5/18/21
to OWASP ZAP User Group
Ok, we decided to deactivate the asserts in our Selenium tests when running with ZAP, so they do not fail anymore. This works well.
Reply all
Reply to author
Forward
0 new messages