Perform authenticated scan in juice shop with docker Automation Framework

Mike Anastasiadis

unread,

May 1, 2024, 11:37:24 AM5/1/24

to ZAP User Group

Hello all,

i am trying to perform an authenticated scan on juice-shop application (also hosted in docker). The scan runs but it does not perform an authenticated scan on privetly accessible directories, only on the publicly available.

I run the automation framework with the following command:

docker run --net=host -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap.sh -cmd -autorun /zap/wrk/zap.yaml

here is the zap.yaml that i use to run the automation framework:

env:
  contexts:
  - name: "target"
    urls:
    - http://172.17.0.2:3000
    includePaths: []
    excludePaths: []
    authentication:
      method: "browser"
      parameters: 
        loginPageUrl: "http://172.17.0.2:3000/login"
      verification:
        method: "autodetect"
    sessionManagement:
      method: "autodetect"
    users:
    - name: "tes...@test.com"
      credentials:
        username: "tes...@test.com"
        password: "tester"
jobs:
- parameters:
    enableTags: false
    maxAlertsPerRule: 10
  type: passiveScan-config
- parameters:
    maxDuration: 1
    url: http://172.17.0.2:3000
  type: spider
- parameters:
    maxDuration: 1
  type: passiveScan-wait
- parameters:
    format: Long
    summaryFile: /home/zap/zap_out.json
  rules: []
  type: outputSummary
- parameters:
    reportDescription: ''
    reportDir: /zap/wrk/
    reportFile: 0000_2024-04-30T12_12_51.json
    reportTitle: ZAP Scanning Report
    template: traditional-json
  type: report

Am i missing something on the YAML ? where can i find more example yaml templates ?

Many Thanks,

Mike

Simon Bennetts

unread,

May 7, 2024, 7:58:22 AM5/7/24

to ZAP User Group

Hi Mike,

Juice Shop is a modern web app, so you should also include an Ajax Spider job.

Other than that I can't see anything obviously wrong.

On what basis are you saying it is not performing an authenticated scan on privately accessible directories?

Can you give an example?

Have you looked at the specific requests and responses?

Cheers,

Simon

Mike Anastasiadis

unread,

May 7, 2024, 12:12:17 PM5/7/24

to zaprox...@googlegroups.com

Hi Simon,

I watched your latest video (ZAP Chat 16) with Yiannis and created an automation plan with authentication like you did in the video. Then extracted the .yaml and it worked perfectly.

Thanks for answering !

Have a great day !

--
For commercial support options see https://www.zaproxy.org/support/
ZAP is supported by the Crash Override Open Source Fellowship https://crashoverride.com/open-source?zap=user
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/Fz2OYhGZXBM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b752a13e-5fc4-4178-9190-033e4911d119n%40googlegroups.com.

Reply all

Reply to author

Forward