ZAP API AJAXSPIDER

724 views
Skip to first unread message

Thilina Madhusanka

unread,
Aug 19, 2015, 12:18:08 AM8/19/15
to OWASP ZAP User Group
HI

in ajxspider in zap api there is a method "scan(String apikey,String url,String inscope)" , 

what is the "inscope" argument ? 

If i need to call this method what should i pass ?

Is there any thing need to be done before calling this method?

Thanks.

Simon Bennetts

unread,
Aug 19, 2015, 2:48:09 AM8/19/15
to OWASP ZAP User Group
Scope is described in the ZAP Help, which is included with ZAP and also online here: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsScope

If you havnt defined any Contexts (https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsContexts) then you should use the value "false", otherwise nothing will be in scope and nothing will get spidered.
If you have defined contexts and want to make sure the Ajax Spider doesnt go outside of them then use "true".

Does that help?

Cheers,

Simon

Thilina Madhusanka

unread,
Aug 19, 2015, 3:04:54 AM8/19/15
to OWASP ZAP User Group
Hey

Thanks it helps. 

Other thing not related to topic , I have used ZAP for test some applications and it was good. 

I also use it with the some application that has a login page.

I done login by 

1 - set a logged in session as active 
2 - exclude the log out url from the context 
3 - use ajaxSpider 

this steps works like a charm 

but i when i try to set up form based authentication it dose not work. 

i followed all the steps in here 

this is the application i try to test 

it simply stuck on the login page. 

any way to fix this? 

thanks
rgrds 
Thilina.

PS thanks for developing this amazing ZAP it was so helpful 

thc...@gmail.com

unread,
Aug 19, 2015, 4:49:06 AM8/19/15
to zaprox...@googlegroups.com
Hi.

Are you enabling "Forced User" mode [1][2] before starting the AJAX spider?

The AJAX spider does not yet allow to (directly) scan as an user so it
needs to be used the "Forced User" mode.


[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiTltoolbar#--force-user-mode-on--off
[2] https://github.com/zaproxy/zaproxy/wiki/ApiGen_forcedUser

Best regards.

On 19/08/15 08:04, Thilina Madhusanka wrote:
> Hey
>
> Thanks it helps.
>
> Other thing not related to topic , I have used ZAP for test some
> applications and it was good.
>
> I also use it with the some application that has a login page.
>
> I done login by
>
> 1 - set a logged in session as active
> 2 - exclude the log out url from the context
> 3 - use ajaxSpider
>
> this steps works like a charm
>
> but i when i try to set up form based authentication it dose not work.
>
> i followed all the steps in here
> <https://www.youtube.com/watch?v=cR4gw-cPZOA&index=7&list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB>.
>
>
> this is the application <http://wso2.com/products/app-manager/> i try to
> test
>
> it simply stuck on the login page.
>
> any way to fix this?
>
> thanks
> rgrds
> Thilina.
>
> PS thanks for developing this amazing ZAP it was so helpful
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

Thilina Madhusanka

unread,
Aug 19, 2015, 5:24:46 AM8/19/15
to OWASP ZAP User Group
HI 

thanks for the reply.

i am using forced user mode. 

its like spider dont recognize login page. 

screen shot of authentication setting is attached. 

Thanks 

best rgrds 
Thilina
Screenshot from 2015-08-19 14:51:53.png

thc...@gmail.com

unread,
Aug 19, 2015, 5:45:29 AM8/19/15
to zaprox...@googlegroups.com
OK. Are the child nodes of "carbon" node "in context", right?

Are you able to access the restricted pages with a browser, while
proxying through ZAP with "Forced User" mode enabled?
Do you see any requests with "Authentication" tag in the "History" tab?

Best regards.
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 19, 2015, 5:58:17 AM8/19/15
to OWASP ZAP User Group
thanks for the reply.

yes all nodes are in context. 

when i try to access restricted pages while proxying it log me out automatically and i need to enter password and user name again then ill redirect me to that page.

i can see lots of authentication tag in the history. (attachment) 

thanks
>      > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
authentication.png

thc...@gmail.com

unread,
Aug 19, 2015, 9:23:05 AM8/19/15
to zaprox...@googlegroups.com
OK, it seems that the authentication is not working correctly.

Is the response of one of those authentication requests successful? Or,
it just shows the login form again (or an error)?

Best regards.
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 19, 2015, 11:35:48 PM8/19/15
to OWASP ZAP User Group
Hi 

it just show the login page. 

i dont know how but now its working i did same step for few times and at the end it start to work. 

there is something i want to know.

when calling 


Action: setAuthenticationMethod


from the api what are the parameters i should pass in this

contextId*
authMethodName*
authMethodConfigParams

here is the view of that method in web browser. 

i know what are the values for the 1st two parameters
context id               -- id of the created context
authMethodName  -- formbased or etc

what should i pass for the 3rd one? 
>      >      > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>      >      > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>      >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>.
>      >
>      > --
>      > You received this message because you are subscribed to the Google
>      > Groups "OWASP ZAP User Group" group.
>      > To unsubscribe from this group and stop receiving emails from it,
>     send
>      > an email to zaproxy-user...@googlegroups.com
>      > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

Thilina Madhusanka

unread,
Aug 20, 2015, 3:01:35 AM8/20/15
to OWASP ZAP User Group
Hi 

Update for prv post

I have try pass 


this as the value for that last field but it only take username. password is not taken 

thanks 
thilina

thc...@gmail.com

unread,
Aug 20, 2015, 3:13:10 AM8/20/15
to zaprox...@googlegroups.com
Hi.

Good to hear that the authentication is now working.


To indicate where the user's name and password should be placed you need
to use the replacement tokens, {%username%} and {%password%}, respectively.
The values of "loginUrl" and "loginRequestData" should be URL encoded.

There's a Java example on how to set-up the form based authentication. [1]

Are you using an API client?


[1]
https://github.com/zaproxy/zaproxy/blob/develop/src/org/zaproxy/clientapi/examples/AuthenticationApiExample.java#L118

Best regards.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed
> to the Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving
> emails from it,
> > send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit
> https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the
> Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from
> it, send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 20, 2015, 6:19:49 AM8/20/15
to OWASP ZAP User Group
Hi 

thanks for the reply

it helps a lot. 

im trying to understand the api and need to test some application using my own api calls.

now im kinda stuck on getting the ajax spider status.

im also referring the source  ZAProxy plugin for jenkins and in that plug in it calls spider 1st and wait till the spider status to 100 and then call the scan.

how can i see the status of ajax spider and compare with a  int? 

thanks
Thilina
>          >      >      > For more options, visit
>         https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>
>          >     <https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>>
>          >      >     <https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>
>          >     <https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>>>.
>          >      >
>          >      > --
>          >      > You received this message because you are subscribed
>         to the Google
>          >      > Groups "OWASP ZAP User Group" group.
>          >      > To unsubscribe from this group and stop receiving
>         emails from it,
>          >     send
>          >      > an email to zaproxy-user...@googlegroups.com
>          >      > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>          >      > For more options, visit
>         https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>
>          >     <https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>>.
>          >
>          > --
>          > You received this message because you are subscribed to the
>         Google
>          > Groups "OWASP ZAP User Group" group.
>          > To unsubscribe from this group and stop receiving emails from
>         it, send
>          > an email to zaproxy-user...@googlegroups.com
>          > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>          > For more options, visit https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 20, 2015, 9:10:54 AM8/20/15
to zaprox...@googlegroups.com
Hi.

The AJAX spider does not report the percentage of completion (something
that needs to be changed).
It reports its state, "running"/"stopped".

With Java API client you can check if the AJAX spider is still running
the following way:
ClientApi zap = new ClientApi("localhost", 8080);

System.out.println("Starting AJAX Spider...");
zap.ajaxSpider.scan(API_KEY, "http://example.com", "false");
System.out.println("AJAX Spider running...");
while ("running".equals(((ApiResponseElement)
zap.ajaxSpider.status()).getValue())) {
Thread.sleep(2500);
}
System.out.println("AJAX Spider finished.");


Best regards.
> > <mailto:zaproxy-user...@googlegroups.com>.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> > https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed
> to the
> > Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving
> emails from
> > it, send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

kingthorin+owaspzap

unread,
Aug 20, 2015, 10:05:05 AM8/20/15
to OWASP ZAP User Group
I'm guessing that the AJAX Spider doesn't report a percentage because it doesn't have a known end point.

If you're crawling something you don't know ahead of time if there's 10 page (functions) or 10,000.....

thc...@gmail.com

unread,
Aug 20, 2015, 10:25:28 AM8/20/15
to zaprox...@googlegroups.com
Yeah, I recalled that after posting the reply :)

But, it's still possible to report something, based on what states were
already discovered (like the "normal" spider does).

Best regards.

Thilina Madhusanka

unread,
Aug 21, 2015, 6:13:37 AM8/21/15
to OWASP ZAP User Group
Hi

thanks all for the reply..

i was able to execute the ajax spider with authentication (forced user mode) using api calls. 

but the attack is not working properly, it only give me the result of normal spider mode. 

I only try this by modifying ZAProxy plugin source and added ajaxspider and authentication. scan method was same as the original one of the plugin.

do i have to change the scan method or do i have to do any changes to scan the ajaxspider discovered urls? 

thanks.
Thilina.     

On Thursday, August 20, 2015 at 7:55:28 PM UTC+5:30, thc202 wrote:
Yeah, I recalled that after posting the reply :)

But, it's still possible to report something, based on what states were
already discovered (like the "normal" spider does).

Best regards.

On 20/08/15 15:05, kingthorin+owaspzap wrote:
> I'm guessing that the AJAX Spider doesn't report a percentage because it
> doesn't have a known end point.
>
> If you're crawling something you don't know ahead of time if there's 10
> page (functions) or 10,000.....
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 21, 2015, 9:46:41 AM8/21/15
to zaprox...@googlegroups.com
Hi.

No, the active scanner should be scanning the AJAX spider requests too.

How are you checking that the requests are not being scanned? By looking
at the messages sent during the scan?

Best regards.
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 23, 2015, 11:19:13 PM8/23/15
to OWASP ZAP User Group
HI 

thanks for the reply. 

i have use it to generate a html report in report there are only few links. 

report is same as with out authentication. but scan took longer than the previous runs. 


thanks,
Thilina.
>      > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 24, 2015, 3:16:55 AM8/24/15
to zaprox...@googlegroups.com
Hi.

Are you running ZAP in daemon mode or with GUI?
There's an issue that prevents the alerts from being added to the report
when run in daemon mode. [1]


[1] https://github.com/zaproxy/zaproxy/issues/1792

Best regards.
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 24, 2015, 3:40:03 AM8/24/15
to OWASP ZAP User Group
HI 

thanks for the reply

Im on daemon mode. 

So i have to wait until the bug is fixed or can i use older version of ZAP for the task ?

I was able to edit the source code of AZProxy jenkins plugin and enable authentication. 

other thing when im running zap plugin i got this error ( there are few errors like this for separate scan rules ) but it doing scan without stopping.

769590 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascanrules.TestServerSideInclude  - Error occurred while scanning with variant org.parosproxy.paros.core.scanner.VariantURLQuery
java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "{p"
	at java.net.URLDecoder.decode(URLDecoder.java:192)
	at org.parosproxy.paros.core.scanner.AbstractPlugin.getURLDecode(Unknown Source)
	at org.parosproxy.paros.core.scanner.VariantURLQuery.getUnescapedValue(Unknown Source)
	at org.parosproxy.paros.core.scanner.VariantAbstractQuery.setParams(Unknown Source)
	at org.parosproxy.paros.core.scanner.VariantURLQuery.setMessage(Unknown Source)
	at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
	at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
>     >      > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >      > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>.
>     >
>     > --
>     > You received this message because you are subscribed to the Google
>     > Groups "OWASP ZAP User Group" group.
>     > To unsubscribe from this group and stop receiving emails from it,
>     send
>     > an email to zaproxy-user...@googlegroups.com
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 24, 2015, 4:50:59 AM8/24/15
to zaprox...@googlegroups.com
Hi.

A new weekly release should be available today (in a couple of
hours/minutes?) which already includes the fix.

Nice, is the authentication already configurable? or is still hardcoded?


Regarding the error, that's an issue. There's already an issue raised
[1] but it's outdated (needs to be updated with latest stacktrace).


[1] https://github.com/zaproxy/zaproxy/issues/1124

Best regards.

On 24/08/15 08:40, Thilina Madhusanka wrote:
> HI
>
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed to the
> Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving emails
> from it,
> > send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 24, 2015, 5:02:06 AM8/24/15
to OWASP ZAP User Group
Hi


Its still on hard code. still not been able to generate a report so im still stuck.

If i able to generate a report using this hardcoded one ill try my best to make it available for configuration.  

regarding my error,

do i need to update the issue? 

is it affecting my scan ? 

Regards,
Thilina
>     >     >      > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >      > For more options, visit
>     https://groups.google.com/d/optout <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>
>     >     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>>.
>     >     >
>     >     > --
>     >     > You received this message because you are subscribed to the
>     Google
>     >     > Groups "OWASP ZAP User Group" group.
>     >     > To unsubscribe from this group and stop receiving emails
>     from it,
>     >     send
>     >     > an email to zaproxy-user...@googlegroups.com
>     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>.
>     >
>     > --
>     > You received this message because you are subscribed to the Google
>     > Groups "OWASP ZAP User Group" group.
>     > To unsubscribe from this group and stop receiving emails from it,
>     send
>     > an email to zaproxy-user...@googlegroups.com
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 24, 2015, 6:31:33 AM8/24/15
to zaprox...@googlegroups.com
Hi.

A new weekly release is now available in case you want to give it a try. [1]


Regarding the error, if you don't mind, that would be great.

Yes, it prevents some attacks from being tested (which might lead to
false negatives).


[1] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly

Best regards.

On 24/08/15 10:02, Thilina Madhusanka wrote:
> Hi
>
>
> Its still on hard code. still not been able to generate a report so im
> still stuck.
>
> If i able to generate a report using this hardcoded one ill try my best
> t/o /make it available for configuration.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed to the
> Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving emails
> from it,
> > send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 24, 2015, 6:43:55 AM8/24/15
to OWASP ZAP User Group
Hi

Thanks ill definitely try it. 

since it has the fix for report generation. 

ill post any questions after try out.

Best regards,
Thilina.
>     >     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     > For more options, visit
>     https://groups.google.com/d/optout <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>
>     >     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>>.
>     >     >
>     >     > --
>     >     > You received this message because you are subscribed to the
>     Google
>     >     > Groups "OWASP ZAP User Group" group.
>     >     > To unsubscribe from this group and stop receiving emails
>     from it,
>     >     send
>     >     > an email to zaproxy-user...@googlegroups.com
>     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>.
>     >
>     > --
>     > You received this message because you are subscribed to the Google
>     > Groups "OWASP ZAP User Group" group.
>     > To unsubscribe from this group and stop receiving emails from it,
>     send
>     > an email to zaproxy-user...@googlegroups.com
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 24, 2015, 8:39:04 AM8/24/15
to zaprox...@googlegroups.com
Hi.

OK.

Thanks for raising the issue!

Best regards.
> > <mailto:zaproxy-user...@googlegroups.com>.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed to the
> Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving emails
> from it,
> > send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 25, 2015, 12:52:06 AM8/25/15
to OWASP ZAP User Group
Hi

I downloaded the zap weekly release and set the ZAP_HOME to that folder and zap default dir on jenkins to /home/thilinam/.ZAP_D

then i select a policy and run the jenkins build in same way. 

but spider is stuck at 0% it just showing me 0% for long time. 

UI works fine.  

Thanks.
Thilina.
>     >     <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     > For more options, visit
>     https://groups.google.com/d/optout <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>
>     >     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>>.
>     >     >
>     >     > --
>     >     > You received this message because you are subscribed to the
>     Google
>     >     > Groups "OWASP ZAP User Group" group.
>     >     > To unsubscribe from this group and stop receiving emails
>     from it,
>     >     send
>     >     > an email to zaproxy-user...@googlegroups.com
>     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>.
>     >
>     > --
>     > You received this message because you are subscribed to the Google
>     > Groups "OWASP ZAP User Group" group.
>     > To unsubscribe from this group and stop receiving emails from it,
>     send
>     > an email to zaproxy-user...@googlegroups.com
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 25, 2015, 3:59:37 AM8/25/15
to zaprox...@googlegroups.com
Hi.

OK. Is that happening with normal spider or AJAX spider?

Best regards.
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > <mailto:zaproxy-user...@googlegroups.com>.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed to the
> Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving emails
> from it,
> > send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 25, 2015, 4:02:10 AM8/25/15
to OWASP ZAP User Group
Hi

its happens with normal spider. 

spiderasuser method

thanks
>     >     >     <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     > For more options, visit
>     https://groups.google.com/d/optout <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>
>     >     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>>.
>     >     >
>     >     > --
>     >     > You received this message because you are subscribed to the
>     Google
>     >     > Groups "OWASP ZAP User Group" group.
>     >     > To unsubscribe from this group and stop receiving emails
>     from it,
>     >     send
>     >     > an email to zaproxy-user...@googlegroups.com
>     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>.
>     >
>     > --
>     > You received this message because you are subscribed to the Google
>     > Groups "OWASP ZAP User Group" group.
>     > To unsubscribe from this group and stop receiving emails from it,
>     send
>     > an email to zaproxy-user...@googlegroups.com
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 25, 2015, 6:10:51 PM8/25/15
to zaprox...@googlegroups.com
Hi.

That's caused by an issue/oversight.
The given URL was not being used as seed when spidering with a context
(as is the case when spidering as a user, also the progress was not set
to 100% even if stopped/finished).

The workaround is to access the target before starting the spider.
With the Java API client it can be done with:
clientApi.accessUrl("http://example.com");
Thread.sleep(1000);
// start the spider...


Best regards.

On 25/08/15 09:02, Thilina Madhusanka wrote:
> Hi
>
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > <mailto:zaproxy-user...@googlegroups.com>.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed to the
> Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving emails
> from it,
> > send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 25, 2015, 11:35:05 PM8/25/15
to OWASP ZAP User Group
Hi 

thanks for the reply

now i get the following error

error occur when running clientApi.accessUrl(url);

ERROR: org.zaproxy.clientapi.core.ClientApiException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>     >     >     >     <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     >     > For more options, visit
>     https://groups.google.com/d/optout <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>
>     >     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>>.
>     >     >
>     >     > --
>     >     > You received this message because you are subscribed to the
>     Google
>     >     > Groups "OWASP ZAP User Group" group.
>     >     > To unsubscribe from this group and stop receiving emails
>     from it,
>     >     send
>     >     > an email to zaproxy-user...@googlegroups.com
>     >     > <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>
>     >     <https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>>.
>     >
>     > --
>     > You received this message because you are subscribed to the Google
>     > Groups "OWASP ZAP User Group" group.
>     > To unsubscribe from this group and stop receiving emails from it,
>     send
>     > an email to zaproxy-user...@googlegroups.com
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

thc...@gmail.com

unread,
Aug 26, 2015, 2:06:00 AM8/26/15
to zaprox...@googlegroups.com
Hi.

Right, accessing HTTPS sites requires trusting ZAP's certs.

Instead of "accessUrl" use the following:
clientApi.core.sendRequest(ZAP_API_KEY, "GET https://example.com/
HTTP/1.1", "");

The request is sent directly from ZAP, so it does not require changing
the Java API client to trust ZAP's certs.

Best regards.

On 26/08/15 04:35, Thilina Madhusanka wrote:
> Hi
>
> thanks for the reply
>
> now i get the following error
>
> error occur when running clientApi.accessUrl(url);
>
> ERROR: org.zaproxy.clientapi.core.ClientApiException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>
>
>
> On Wednesday, August 26, 2015 at 3:40:51 AM UTC+5:30, thc202 wrote:
>
> Hi.
>
> That's caused by an issue/oversight.
> The given URL was not being used as seed when spidering with a context
> (as is the case when spidering as a user, also the progress was not set
> to 100% even if stopped/finished).
>
> The workaround is to access the target before starting the spider.
> With the Java API client it can be done with:
> clientApi.accessUrl("http://example.com <http://example.com>");
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > <mailto:zaproxy-user...@googlegroups.com>.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > > <mailto:zaproxy-user...@googlegroups.com>.
> > > > For more options, visit
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>
> > > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>>.
> > >
> > > --
> > > You received this message because you are subscribed to the
> Google
> > > Groups "OWASP ZAP User Group" group.
> > > To unsubscribe from this group and stop receiving emails
> from it,
> > send
> > > an email to zaproxy-user...@googlegroups.com
> > > <mailto:zaproxy-user...@googlegroups.com>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 26, 2015, 6:49:30 AM8/26/15
to OWASP ZAP User Group
Hi

thanks for the reply

i have use it but got error  "Provided parameter has illegal or unrecognized value"

what am i doing wrong? 

zapClientAPI.core.sendRequest(API_KEY, "GET https://localhost:9443/carbon/HTTP/1.1", "");
>     >     >     >     <mailto:zaproxy-users+unsub...@googlegroups.com>.
>     >     <http...

thc...@gmail.com

unread,
Aug 26, 2015, 6:58:04 AM8/26/15
to zaprox...@googlegroups.com
Hi.

It's missing a space before "HTTP/1.1".

I see now that in my previous email the space was replaced with a
breakline, sorry :/

Best regards.

On 26/08/15 11:49, Thilina Madhusanka wrote:
> Hi
>
> thanks for the reply
>
> i have use it but got error "Provided parameter has illegal or
> unrecognized value"
>
> what am i doing wrong?
>
> zapClientAPI.core.sendRequest(API_KEY, "GET
> https://localhost:9443/carbon/HTTP/1.1", "");
>
> On Wednesday, August 26, 2015 at 11:36:00 AM UTC+5:30, thc202 wrote:
>
> Hi.
>
> Right, accessing HTTPS sites requires trusting ZAP's certs.
>
> Instead of "accessUrl" use the following:
> clientApi.core.sendRequest(ZAP_API_KEY, "GET https://example.com/
> HTTP/1.1 <https://example.com/HTTP/1.1>", "");
> > <mailto:zaproxy-user...@googlegroups.com>.
> <mailto:zaproxy-user...@googlegroups.com>.
> > > <http...
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

Thilina Madhusanka

unread,
Aug 26, 2015, 7:00:33 AM8/26/15
to OWASP ZAP User Group
HI

update for previous post

Is this issue come up with weekly release ? 

i can run spider without putting any other methods in early version.

 thanks
...

thc...@gmail.com

unread,
Aug 26, 2015, 7:07:07 AM8/26/15
to zaprox...@googlegroups.com
Hi.

Yes, the spider is now using the context of the user but is not
including the provided URL as seed.
That was already fixed in the repository, though.

Best regards.

On 26/08/15 12:00, Thilina Madhusanka wrote:
> HI
>
> update for previous post
>
> Is this issue come up with weekly release ?
>
> i can run spider without putting any other methods in early version.
>
> thanks
>
> On Wednesday, August 26, 2015 at 4:19:30 PM UTC+5:30, Thilina Madhusanka
> wrote:
>
> Hi
>
> thanks for the reply
>
> i have use it but got error "Provided parameter has illegal or
> unrecognized value"
>
> what am i doing wrong?
>
> zapClientAPI.core.sendRequest(API_KEY, "GET
> https://localhost:9443/carbon/HTTP/1.1
> <https://localhost:9443/carbon/HTTP/1.1>", "");
>
> On Wednesday, August 26, 2015 at 11:36:00 AM UTC+5:30, thc202 wrote:
>
> Hi.
>
> Right, accessing HTTPS sites requires trusting ZAP's certs.
>
> Instead of "accessUrl" use the following:
> clientApi.core.sendRequest(ZAP_API_KEY, "GET https://example.com/
> HTTP/1.1 <https://example.com/HTTP/1.1>", "");
> <http://example.com> <http://example.com>");
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

Thilina Madhusanka

unread,
Aug 26, 2015, 8:04:04 AM8/26/15
to OWASP ZAP User Group
Hi

thanks for the reply

its seems to be working fine.

also report generation is working fine. 

if i build zap from source will it fix this use of new method? 

thanks.

thc...@gmail.com

unread,
Aug 26, 2015, 9:01:04 AM8/26/15
to zaprox...@googlegroups.com
Hi.

Yes, built from source will not require an access to the target before
spidering as a user.

Best regards.
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 27, 2015, 1:10:47 AM8/27/15
to OWASP ZAP User Group
Hi

thanks for the reply.

is there any known issue that the spider is stuck on 99% 

i face this like 3 or 4 times when i used jenkins plugin

Status spider = 99%

Alerts number = 		ApiResponseElement numberOfAlerts = 7495


Status spider = 99%

Alerts number = 		ApiResponseElement numberOfAlerts = 7495


Status spider = 99%

Alerts number = 		ApiResponseElement numberOfAlerts = 7495


Status spider = 99%

Alerts number = 		ApiResponseElement numberOfAlerts = 7495


Status spider = 99%

Alerts number = 		ApiResponseElement numberOfAlerts = 7495


Status spider = 99%

Alerts number = 		ApiResponseElement numberOfAlerts = 7495


Status spider = 99%

Alerts number = 		ApiResponseElement numberOfAlerts = 7495

>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

Thilina Madhusanka

unread,
Aug 27, 2015, 5:42:56 AM8/27/15
to OWASP ZAP User Group
Hi

this happen again and then i start build and test on jenkins it stuck on 0% 

this is something with ZAP or mat be mt web app? 

thanks
Thilina.
...

Thilina Madhusanka

unread,
Aug 28, 2015, 12:32:44 AM8/28/15
to OWASP ZAP User Group
Hi

update

I think this happens when i stop the spidering or scan before it finished , next time i run the process it get stuck on the 0% 

thanks

Thilina Madhusanka

unread,
Aug 28, 2015, 3:10:24 AM8/28/15
to OWASP ZAP User Group
Hi 

NEED HELP to build zap from the source code, to remove the zapClientAPI.core.sendRequest method

 Step by step guide will be good. 

Thanks.

Simon Bennetts

unread,
Aug 28, 2015, 3:16:37 AM8/28/15
to OWASP ZAP User Group
...

thc...@gmail.com

unread,
Aug 28, 2015, 3:20:33 AM8/28/15
to zaprox...@googlegroups.com
Hi.

I was able to reproduce the issue of the spider returning always 97%
(not reliably though).

Was not able to reproduce the scan being stuck at 0%.
Could you provide the excerpt of the log file when that happens?
(file zap.log located in ZAP's default directory or the directory
manually specified [1])
You might need to remove/obfuscate sensitive information.

Also, could you check the state of the scans? Is the last
"Running"/"Finished"?

To see the states of the spider/active scans access while proxying
through ZAP:
http://zap/JSON/spider/view/scans
and
http://zap/JSON/ascan/view/scans



[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig

Best regards.
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>
>
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>>
>
> > > >
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>
>
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>>>
>
> > > > >
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>
>
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>>
>
> > > >
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>
>
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>>>>>>
>
> > > > > > >
> > > > >
> > >
> >
> <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly <https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly>
>
> > <
>
> ...
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 28, 2015, 3:37:50 AM8/28/15
to OWASP ZAP User Group
Hi 

thanks for the reply . 

is there any way to build it without setting up IDE. ( with terminal ) ?

thanks

Simon Bennetts

unread,
Aug 28, 2015, 3:44:09 AM8/28/15
to OWASP ZAP User Group
Oh yes, but its not fully documented.
Hopefully you should be able to just clone all of the https://github.com/zaproxy projects and use the build.xml files directly.
Note that the zap-extensions project was set up in Google Code and uses the alpha, beta and master branches for different add-ons based on their maturity.
I'd recommend having these as 3 separate projects, as per the eclipse team project set.
If you have any problems you can ask questions on the ZAP developer gorup: https://groups.google.com/group/zaproxy-develop

Cheers,

Simon
...

thc...@gmail.com

unread,
Aug 28, 2015, 3:56:50 AM8/28/15
to zaprox...@googlegroups.com
Following the steps to build just ZAP (you need to use/install the
add-ons available in the marketplace).

ZAP is built with Ant. [1]

Create a directory where you want ZAP repo to be and open a terminal.
1. git clone https://github.com/zaproxy/zaproxy.git --depth 1
with "--depth 1" it's a lot faster to clone the repo although it will
not have the full history (not important if you just want to build it).
2. cd zaproxy
3. ant -f build/build.xml

The package is created in the "build" directory:
"ZAP_Dev Build_Linux.tar.gz"


[1] https://ant.apache.org/

Best regards.
> http://zap/JSON/ascan/view/scans <http://zap/JSON/ascan/view/scans>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 28, 2015, 4:39:29 AM8/28/15
to OWASP ZAP User Group
Hi

thanks all for the reply 

as for the log file the folder only has dummy.txt file

i use ZAP through Jenkins so can send the jenkins log file (attached)

it has all the ZAP terminal output 

thanks

`
log.txt

Thilina Madhusanka

unread,
Aug 31, 2015, 1:51:34 AM8/31/15
to OWASP ZAP User Group
Hi

in this this colored username is refer to post data parameter? 

it is user created on web application ? 

this can be any parameter that web application refer to as username? 

"username={%username%}&password={%password%}"

thanks
...

Thilina Madhusanka

unread,
Aug 31, 2015, 3:32:58 AM8/31/15
to OWASP ZAP User Group
Hi

i have build ZAP from the source and use it for the test but now it stuck at 62% and o alerts . 

...

Thilina Madhusanka

unread,
Aug 31, 2015, 4:55:44 AM8/31/15
to OWASP ZAP User Group
Hi

Update for prv post . 

it moves form 62% but o alerts are found. 

scan also completed but no result. 

new question 

after spider url htttps://localhost:9443/cabon

if i run scan for the same url it wont find any alerts it 

if i change the scan url to htttps://localhost:9443/ and keep the spider url same  it work properly 

is it a issue ?

thanks.

...

thc...@gmail.com

unread,
Aug 31, 2015, 5:16:32 AM8/31/15
to zaprox...@googlegroups.com
Hi.

An issue has been raised to fix spider's reported progress after
finishing. [1]

Not sure it's the same problem shown in the logs, though.


[1] https://github.com/zaproxy/zaproxy/issues/1858

Best regards.

On 28/08/15 09:39, Thilina Madhusanka wrote:
> Hi
>
> <http://zap/JSON/ascan/view/scans> <http://zap/JSON/ascan/view/scans
> > <mailto:zaproxy-user...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

thc...@gmail.com

unread,
Aug 31, 2015, 5:17:01 AM8/31/15
to zaprox...@googlegroups.com
Hi.

Yes, that's correct. Those should be the parameter names used by the web
application.

Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

thc...@gmail.com

unread,
Aug 31, 2015, 5:22:21 AM8/31/15
to zaprox...@googlegroups.com
Hi.

Do you have the passive/active scanner add-ons installed?
When building from source the package will not have any add-ons
(although add-ons can be picked from the ZAP home dir [1]).
You can include the add-ons in ZAP by copying them to "src/plugin"
directory before building the package.


Regarding the new question, are you specifying a user when active scanning?


[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig

Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

Thilina Madhusanka

unread,
Aug 31, 2015, 5:24:30 AM8/31/15
to OWASP ZAP User Group
Hi

thanks for the help. 

Best regards
Thilina.  

Thilina Madhusanka

unread,
Aug 31, 2015, 6:23:41 AM8/31/15
to OWASP ZAP User Group
Hi

Thanks for the reply.

ok ill put them. 

no i haven't , is it necessary to scan the url as a user after spidering it as a user ?

if yes, then why it scans all the url when i changed the scan url  

Thanks.
>                 >         >             >     >         >     >   ...

Thilina Madhusanka

unread,
Aug 31, 2015, 6:55:53 AM8/31/15
to OWASP ZAP User Group
Hi

can please  you tell me how can i put add-ons ?

just download the zip [1] file and extract in in to src/plugin ? 

...

thc...@gmail.com

unread,
Aug 31, 2015, 9:05:14 AM8/31/15
to zaprox...@googlegroups.com
Hi.

Yes, if you want to keep using the user, otherwise some of the active
scan requests might not be authenticated (thus, potentially, rejected by
the target application).


That seems to be other problem, could you provide the ZAP API calls that
you are using?

Best regards.

thc...@gmail.com

unread,
Aug 31, 2015, 9:06:37 AM8/31/15
to zaprox...@googlegroups.com
Hi.

Not sure which zip file are you referring to. Is it the "2.4.zip" file?
If yes, that's the source of the add-ons, you need to download the
".zap" files.

It might be easier to just launch ZAP and install the add-ons from the
marketplace (which ensures that's downloaded the correct version of the
add-ons).
You can then copy the add-ons from the ZAP's default "plugin" directory
to "src/plugin" directory.

Best regards.

On 31/08/15 11:55, Thilina Madhusanka wrote:
> Hi
>

Thilina Madhusanka

unread,
Aug 31, 2015, 11:53:16 PM8/31/15
to OWASP ZAP User Group
Hi

thanks for the help.

is there a new weekly release ?

This is the 2 methods im  using for scanning and spidering

/**
* Search for all links and pages on the URL and raised passives alerts as a given user
*
* @auther Thilina Madhusanka
* @param url the url to investigate
* @param listener the listener to display log during the job execution in jenkins
* @param zapClientAPI the client API to use ZAP API methods
* @throws ClientApiException
* @throws InterruptedException 
*/
 
//final String url, BuildListener listener, ClientApi zapClientAPI, String loginUrl, 
//String usernameParameter, String passwordParameter, String username, String password , String loggedInIndicate) 
private void spiderURLAsUser(final String url, BuildListener listener, ClientApi zapClientAPI, 
String username, String password, String usernameParameter, 
String passwordParameter, String loginUrl, String loggedInIndicator)
throws ClientApiException, InterruptedException, UnsupportedEncodingException {
//UnsupportedEncodingException added to pass the exception occoured in url encoding using URLEncoder

String contextName="test";//name of the Context to be create
String contextURL="\\Q"+url+"\\E.*";//url to added to context same url user give to scan
//TO DO url should be reg ex or not (getting wich input is better or find a way convert into regex)
String contextId = "1";//context id
String loginRequestData = usernameParameter+"={%username%}&"+passwordParameter+"={%password%}"; // input logged in parameter
String userId="0";
//Create new context
//method signature : newContext(String apikey,String contextname) throws ClientApiException
contextId=extractontextId(zapClientAPI.context.newContext(API_KEY,contextName));
listener.getLogger().println("context "+ contextName +" created");

//add url to the context
//method signature : includeInContext(String apikey, String contextname, String regex) 
// throws ClientApiException
zapClientAPI.context.includeInContext(API_KEY,contextName,contextURL);
listener.getLogger().println("URL "+contextURL+" added to "+contextName);


//set authentication mathod 
// Prepare the configuration in a format similar to how URL parameters are formed. This
// means that any value we add for the configuration values has to be URL encoded.
StringBuilder formBasedConfig = new StringBuilder();
formBasedConfig.append("loginUrl=").append(URLEncoder.encode(loginUrl, "UTF-8"));
formBasedConfig.append("&loginRequestData=").append(URLEncoder.encode(loginRequestData, "UTF-8"));

zapClientAPI.authentication.setAuthenticationMethod(API_KEY, contextId, "formBasedAuthentication",
formBasedConfig.toString());

listener.getLogger().println("Form Based Authentication added to context : " + contextName);

//add logged in idicator
zapClientAPI.authentication.setLoggedInIndicator(API_KEY, contextId, loggedInIndicator);
listener.getLogger().println("Logged in indicator "+loggedInIndicator+" added to context : " + contextName);

//add new user and authentication details
// Make sure we have at least one user
//extract user id method is maualy edied one (above)
userId = extractUserId(zapClientAPI.users.newUser(API_KEY, contextId, "admin"));

// Prepare the configuration in a format similar to how URL parameters are formed. This
// means that any value we add for the configuration values has to be URL encoded.
StringBuilder userAuthConfig = new StringBuilder();
userAuthConfig.append("username=").append(URLEncoder.encode(username, "UTF-8"));
userAuthConfig.append("&password=").append(URLEncoder.encode(password, "UTF-8"));
String authCon=userAuthConfig.toString();
zapClientAPI.users.setAuthenticationCredentials(API_KEY, contextId, userId, authCon);

listener.getLogger().println("New user added. username :" +username+ "password :" +password);
zapClientAPI.users.setUserEnabled(API_KEY, contextId,userId,"true");
listener.getLogger().println("User : admin is now Enabled");
listener.getLogger().println("Start spider as enabled user");
//Method signature : scanAsUser(String apikey, String url, String contextid, String userid, String maxchildren) throws ClientApiException
zapClientAPI.spider.scanAsUser(API_KEY, url, contextId, userId, "1000"); //maxchilds depth to crawl
// Wait for complete spidering (equal to 100)
// Method signature : status(String scanId)
while (statusToInt(zapClientAPI.spider.status("")) < 100) {
listener.getLogger().println("Status spider ============================================== " + 
((ApiResponseElement)zapClientAPI.spider.status("")).getValue());
listener.getLogger().println("Status spider = " + statusToInt(zapClientAPI.spider.status("")) + "%");
listener.getLogger().println("Alerts number = " + zapClientAPI.core.numberOfAlerts("").toString(2));
Thread.sleep(1000);
}

listener.getLogger().println("Spider finished"); 

}

/**
* Scan all pages found at url and raised actives alerts
*
* @param url the url to scan
* @param listener the listener to display log during the job execution in jenkins
* @param zapClientAPI the client API to use ZAP API methods
* @throws ClientApiException
* @throws InterruptedException 
*/
private void scanURL(final String url, BuildListener listener, ClientApi zapClientAPI) 
throws ClientApiException, InterruptedException {
if(chosenPolicy == null || chosenPolicy.isEmpty()) {
listener.getLogger().println("Scan url [" + url + "] with the policy by default");
} else {
listener.getLogger().println("Scan url [" + url + "] with the following policy ["
+ chosenPolicy + "]");
}
// Method signature : scan(String apikey, String url, String recurse, String inscopeonly, String scanpolicyname, 
// String method, String postdata)
// Use a default policy if chosenPolicy is null or empty
zapClientAPI.ascan.scan(API_KEY, "https://localhost:9443/", "true", "false", chosenPolicy, null, null);
listener.getLogger().println("changed the scan url to https://localhost:9443/ +++++++++++++ why");
// Wait for complete scanning (equal to 100)
// Method signature : status(String scanId)
while (statusToInt(zapClientAPI.ascan.status("")) < 100) {
listener.getLogger().println("Status scan = " + statusToInt(zapClientAPI.ascan.status("")) + "%");
listener.getLogger().println("Alerts number = " + zapClientAPI.core.numberOfAlerts("").toString(2));
listener.getLogger().println("Messages number = " + zapClientAPI.core.numberOfMessages("").toString(2));
Thread.sleep(5000);
>         >      ...

Thilina Madhusanka

unread,
Sep 1, 2015, 12:02:57 AM9/1/15
to OWASP ZAP User Group
Hi

this weekly release has all the fixes for that additional method issue ?

thanks 


On Tuesday, September 1, 2015 at 9:23:16 AM UTC+5:30, Thilina Madhusanka wrote:
Hi

...

thc...@gmail.com

unread,
Sep 1, 2015, 2:22:46 AM9/1/15
to zaprox...@googlegroups.com
Hi.

Yes, it does.

Best regards.
> //throws ClientApiException
> //String method, String postdata)

Thilina Madhusanka

unread,
Sep 1, 2015, 2:31:47 AM9/1/15
to OWASP ZAP User Group
HI

nice to hear

That stuck in same percentage bug [1] is now become more annoying 

it happens twice in 3 try 

>         >  ...

Thilina Madhusanka

unread,
Sep 1, 2015, 3:04:05 AM9/1/15
to OWASP ZAP User Group
hi

also im using weekly release 

...

thc...@gmail.com

unread,
Sep 1, 2015, 3:30:43 AM9/1/15
to zaprox...@googlegroups.com
Hi.

Could you add the following line to file "log4j.properties" (located in
ZAP's home dir):
log4j.logger.org.parosproxy.paros.core.scanner.HostProcess = DEBUG

After that try scan with the two URLs and provide the log/output.

It should contain something like the attached file (zap.log).
It allows to check what's really being scanned.
Might be better to just have one scanner enabled to reduce the
log/output to a minimum.

Best regards.

On 01/09/15 04:53, Thilina Madhusanka wrote:
> Hi
>
> //throws ClientApiException
> //String method, String postdata)
zap.log

thc...@gmail.com

unread,
Sep 1, 2015, 3:31:47 AM9/1/15
to zaprox...@googlegroups.com
Hi.

OK, the issue was not yet fixed.
I'll look at that shortly.

Best regards.

Thilina Madhusanka

unread,
Sep 1, 2015, 3:40:19 AM9/1/15
to OWASP ZAP User Group
Hi

im using a jenkins plugin for the zap
it seems it dose not generate ant log file other than jenkins terminal output.

ill post it after it reproduce this bug.

thanks
>     >     ...

Thilina Madhusanka

unread,
Sep 2, 2015, 5:03:18 AM9/2/15
to OWASP ZAP User Group
HI

What API method should i use for conduct ascan as a user? 

thanks
...

Simon Bennetts

unread,
Sep 2, 2015, 5:32:13 AM9/2/15
to OWASP ZAP User Group
ascan/action/scanAsUser/ :)
https://github.com/zaproxy/zaproxy/wiki/ApiGen_ascan

Its well worth exploring the API UI, eg via http://localhost:8080/UI/ or whatever host/port your ZAP instance is listenning on.

Simon
...

Thilina Madhusanka

unread,
Sep 2, 2015, 5:41:07 AM9/2/15
to OWASP ZAP User Group
Hi

thanks for the reply. 

i was going through the java documentation to find that method i wasnt able to find that :)

thanks
...

Thilina Madhusanka

unread,
Sep 3, 2015, 5:12:54 AM9/3/15
to OWASP ZAP User Group
Hi

is this scan as user is available in java api?
...

Thilina Madhusanka

unread,
Sep 3, 2015, 5:19:43 AM9/3/15
to OWASP ZAP User Group
Hi

i have build zap from the source and use with my jenkins plugin. 

what ever the scan policy that i choose it only generate some of the result only.

it shows that each type of test has completed but it dosent show them in the report.

web app im testing had some major cross site scripting issues they were generated in last time but it did not come up with the newly source build one .

thanks

thc...@gmail.com

unread,
Sep 3, 2015, 5:27:15 AM9/3/15
to zaprox...@googlegroups.com
Hi.

Yes, it's available in latest release (version 5) of the Java ZAP API
client:
clientApi.ascan.scanAsUser(apikey, url, contextid, userid, recurse,
scanpolicyname, method, postdata)


Best regards.

thc...@gmail.com

unread,
Sep 3, 2015, 5:28:06 AM9/3/15
to zaprox...@googlegroups.com
Hi.

Are you sure that you are using exactly the same add-ons?
Are the same pages being scanned?

Best regards.

Thilina Madhusanka

unread,
Sep 3, 2015, 5:31:39 AM9/3/15
to OWASP ZAP User Group
Hi

also i got a error like this. this is not connect with the previous issue. 

is this error from my plugin or ZAP?

Status scan = 6%

1745018 [HSQLDB Timer @45c7fa1a] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - Checkpoint start
1745018 [HSQLDB Timer @45c7fa1a] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - checkpointClose start

1745153 [HSQLDB Timer @45c7fa1a] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - dataFileCache commit start

1746714 [HSQLDB Timer @45c7fa1a] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - checkpointClose end
1746792 [HSQLDB Timer @45c7fa1a] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE  - Checkpoint end

AWT blocker activation interrupted:
java.lang.InterruptedException
	at java.lang.Object.wait(Native Method)
	at java.lang.Object.wait(Object.java:503)
	at sun.awt.AWTAutoShutdown.activateBlockerThread(AWTAutoShutdown.java:349)
	at sun.awt.AWTAutoShutdown.notifyThreadBusy(AWTAutoShutdown.java:174)
	at java.awt.EventQueue$5.run(EventQueue.java:1058)
	at java.awt.EventQueue$5.run(EventQueue.java:1049)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.awt.EventQueue.initDispatchThread(EventQueue.java:1048)
	at java.awt.EventQueue.postEventPrivate(EventQueue.java:282)
	at java.awt.EventQueue.postEvent(EventQueue.java:257)
	at java.awt.EventQueue.invokeLater(EventQueue.java:1233)
	at org.zaproxy.zap.extension.alert.AlertTreeModel.addPath(Unknown Source)
	at org.zaproxy.zap.extension.alert.ExtensionAlert.addAlertToTreeEventHandler(Unknown Source)
	at org.zaproxy.zap.extension.alert.ExtensionAlert.addAlertToTree(Unknown Source)
	at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(Unknown Source)
	at org.zaproxy.zap.extension.pscan.PassiveScanThread.raiseAlert(Unknown Source)
	at org.zaproxy.zap.extension.pscanrules.CacheControlScanner.raiseAlert(Unknown Source)
	at org.zaproxy.zap.extension.pscanrules.CacheControlScanner.scanHttpResponseReceive(Unknown Source)
	at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(Unknown Source)
...

Thilina Madhusanka

unread,
Sep 3, 2015, 5:39:36 AM9/3/15
to OWASP ZAP User Group
Hi

i downloaded [1] then [2] and first i build [2] and .zap files are put into src/plugin in [1] and then build [1]

is it ok?

thanks

...

thc...@gmail.com

unread,
Sep 3, 2015, 5:57:28 AM9/3/15
to zaprox...@googlegroups.com
Hi.

That's an issue in ZAP.
Were you running ZAP with GUI when that happened?

Best regards.

thc...@gmail.com

unread,
Sep 3, 2015, 6:00:19 AM9/3/15
to zaprox...@googlegroups.com
Hi.

Yes, the steps are right although it does not include all add-ons, just
"release" quality add-ons.
Did you use beta/alpha add-ons in previous installation?
You need to checkout beta/alpha branches (of [2]) to build the other
add-ons.

Best regards.

Thilina Madhusanka

unread,
Sep 3, 2015, 6:10:27 AM9/3/15
to OWASP ZAP User Group
Hi 

thanks for the reply

i wasn't using gui i did use it with my jenkins plugin.

i early use only weekly release of the zap. 

it has that spider stuck on same status issue, so i move to zap source build 

thats when i got this issue  

thanks


On Thursday, September 3, 2015 at 3:30:19 PM UTC+5:30, thc202 wrote:
Hi.

>                     http://localhost...

Thilina Madhusanka

unread,
Sep 4, 2015, 5:51:13 AM9/4/15
to OWASP ZAP User Group
Hi

That report not generating issue was a my plugin issue. 

any update on thread stop issue? 

thanks


On Thursday, September 3, 2015 at 3:40:27 PM UTC+5:30, Thilina Madhusanka wrote:
Hi 

...

thc...@gmail.com

unread,
Sep 5, 2015, 7:32:52 PM9/5/15
to zaprox...@googlegroups.com
Hi.

Not yet, but I'll look into that.

Best regards.

thc...@gmail.com

unread,
Sep 7, 2015, 10:36:35 AM9/7/15
to zaprox...@googlegroups.com
Hi.

That issue [1] should be fixed in version 2.4.2.


[1] https://github.com/zaproxy/zaproxy/issues/1872

Best regards.

Thilina Madhusanka

unread,
Sep 8, 2015, 11:17:43 PM9/8/15
to OWASP ZAP User Group
Hi

nice to here 

thanks
>>         java.security.AccessController.doPrivilege...

thc...@gmail.com

unread,
Sep 9, 2015, 11:25:36 AM9/9/15
to zaprox...@googlegroups.com
Hi.

Thank you for all the feedback!

Best regards.
Reply all
Reply to author
Forward
0 new messages