Anyway to pass Exclude URLs & Include URLs in docker zap-baseline.py or zap-full-scan.py ?

[Rohit Kumar]

Hi There,

I wanted to ask if there is anyway to pass list of Exclude URLs & Include URLs within zap docker python scripts.

I'm using these two commands

1. docker run -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com

2. docker run -t owasp/zap2docker-stable zap-full-scan.py -t https://www.example.com

I don't see any option to pass these details, i am allowed to use only these 2 scripts, any method please?

[thc...@gmail.com]

Hi.

Specify the context with the -n command line argument:
https://www.zaproxy.org/docs/docker/full-scan/#usage

You can also use the hooks to set up the context:
https://www.zaproxy.org/docs/docker/scan-hooks/

Best regards.

[Lakshmi Narayana Inguva]

Can you please show us the examples to use it for multiple URLs. I am using context file for authentication, but I don't see any coverage.

[Simon Bennetts]

Do you mean attacking multiple sites? For example https://www.example.com and https://www.example.org?

The packaged scans do not support that, we expect you to run a separate packaged scan for each site.

If you're looking for something more flexible have a look at the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/

Cheers,

Simon

[AppSec LN]

No, 
For example https://www.example.com/page1,  https://www.example.com/page2,  https://www.example.com/page3 etc.

ZAP  full scan is not covering all pages even though the authentication is defined and all URLs included in the context file.

It seems automation is ready for authentication https://www.zaproxy.org/docs/getting-further/automation/.

Please share if there are any working examples.

[Simon Bennetts]

OK, that means that authentication is not working.

Have you tried it with the ZAP desktop? That will be easier to debug.

For lots more info see https://www.zaproxy.org/docs/authentication/

Cheers,

Simon