Docker ZAP doesn't scan GET request parameter

[Yoshihiro Matsumoto]

Hello,

I'm using Docker ZAP to run baseline and full-scan on my web applications.

I've noticed that ZAP doesn't scan URL with GET request parameter,

for instance 'https://xyz?hoge_id=abc&piyo=def'.

I confirmed that my Desktop ZAP spider can scan such URLs, and these are described as like 'https://xyz\?hoge_id\=abc&piyo\=def.*' in the context file.

Even though I tried this description in <incregexes> tag of my docker ZAP context file (the same file as the Desktop ZAP context file),

results doesn't show these URLs.

any advice?

Thank you.

[Simon Bennetts]

Hiya,

How are you checking that ZAP doesnt scan those URLs?

FYI you will not see a URL like "https://xyz?hoge_id=abc&piyo=def" in the sites tree by default, instead you will see something like "https://xyz(hoge_id,piyo)".

This is because the sites tree tires to represent the functionality of the app rather than every single URL.

This means ZAP may well be attacking those URLs but with different parameters.

For more details see https://www.youtube.com/watch?v=1_flXEBzEsE

Cheers,

Simon

[Yoshihiro Matsumoto]

Hi Simon,

Thanks for fast reply and sharing Youtube!

When I ran ZAP scanning with including URL like “https://xyz.*”, it works very fine and results show some security risks.

But When I try URL like “https://xyz\hoge\=aaa” , then no risks appear,

so I thought the scanner didn’t scan these URLs.

I asked this question because scanning with “https://xyz.*” takes too long ( up to 3hours) maybe due to too much parameters.

Therefore, I’m searching ways to restrict target URL to specific parameters like “https://xyz\hoge\=aaa”

Is there any idea?

Thank you.

2022年12月13日火曜日 18:41:04 UTC+9 psi...@gmail.com:

[Yoshihiro Matsumoto]

Hi.

Today I tried  "sudo docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable:2.11.1 zap-full-scan.py -t https://sample.com/actionpage.action\?id\=12345 -z "-configfile /zap/wrk/config.prop" -n /zap/wrk/sample.context',

and in the context file I added <incregexes>https:sample.com/actionpage.action\?id\=12345 </incregexes>

Then debug message told 'https://sample.com/actionpage.action\?id\=12345 200 OK' , this seems good to me, but in a next few seconds I got error: zap.out said "Can't connect to X11 window server using"

Referred to Get error log "Can't connect to X11 window server using" (google.com), maybe this is the problem.

thanks.

2022年12月13日火曜日 21:10:27 UTC+9 Yoshihiro Matsumoto:

[Yoshihiro Matsumoto]

Hi.

I'm sorry to bother you again and again.

I ran below code in owasp/zap2docker-stable:2.11.1, then got ''https://sample.com/ "GET / HTTP/1.1" 200"

sudo docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable:2.11.1 zap-full-scan.py -t https://sample.com/ -z "-configfile /zap/wrk/config.prop" -n /zap/wrk/sample.context,

and then I ran the same code in owasp/zap2docker-stable:2.12.0 , then got ''https://sample.com/ "GET / HTTP/1.1" 502"

zap.out said

1150 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config connection.proxyChain.enabled = true was null

1150 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config connection.proxyChain.hostName = $proxy-host-name.com was null

1151 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config connection.proxyChain.port = $proxy-port was null

Is there any solutions?

Thanks in advance.

2022年12月14日水曜日 19:52:44 UTC+9 Yoshihiro Matsumoto:

[Yoshihiro Matsumoto]

Hello.

There is some progress about the issue.

To scan sites such as https://sample.com/$company_id/, I set 'data driven dodes' and it completely worked in Desktop ZAP (Windows OS)

Then I exported the context file and used it in Docker ZAP full-scan.py (Amazon Linux2), but it didn't work (spider seemed to scan only https://sample.com/)

Is there any solutions?

Thank you.

2022年12月14日水曜日 20:26:38 UTC+9 Yoshihiro Matsumoto:

[Yoshihiro Matsumoto]

Hi.

This issue was solved.

my application is using WAF, so I needed to escape WAF and have to connect to ALB directly.

In Desktop ZAP,  maybe ZAP honors hosts file, but Docker's doesn't.(Ref: ZAP not honoring hosts file? (google.com))

Therefore ZAP in Docker couldn't escape WAF and connection was refused.

I changed URL https://sample.com/$company_id/ to  https://$ALB-IP/$company_id/, then all works well.

Thank you very much.

2022年12月16日金曜日 14:32:33 UTC+9 Yoshihiro Matsumoto:

[Simon Bennetts]

Thanks for letting us know!

Simon