ajax spider automation framework issues

201 views
Skip to first unread message

Edvin Eriksson

unread,
Feb 15, 2022, 8:36:21 AM2/15/22
to OWASP ZAP User Group
Hi,

We are using the automation framework successfully to scan with spider and make an active scan. However it is not possible to use the ajax spider in the automation framework, it just freezes and nothing happens. 
When scanning using ajax scanner outside of the automation framework (right click on the site and select ajax spider) it works perfectly with the same context and other settings. 
Is this a known issue or should it work? I have even tried on the sample site juice-shop with the same results.

Best regards,
Edvin

Simon Bennetts

unread,
Feb 15, 2022, 8:59:46 AM2/15/22
to OWASP ZAP User Group
Hi Edvin,

No, that should work fine.
Are there any errors in the zap.log file?

Cheers,

Simon

Edvin Eriksson

unread,
Feb 15, 2022, 10:18:12 AM2/15/22
to OWASP ZAP User Group
Hi Simon,

I get this error:

2022-02-15 16:08:10,593 [ZAP-Automation] ERROR UncaughtExceptionLogger - Exception in thread "ZAP-Automation"
java.lang.IllegalStateException: The starting URI does not belong to the context.
        at org.zaproxy.zap.extension.spiderAjax.AjaxSpiderTarget$Builder.build(AjaxSpiderTarget.java:271) ~[?:?]
        at org.zaproxy.zap.extension.spiderAjax.automation.AjaxSpiderJob.runJob(AjaxSpiderJob.java:160) ~[?:?]
        at org.zaproxy.addon.automation.ExtensionAutomation.runPlan(ExtensionAutomation.java:265) ~[?:?]
        at org.zaproxy.addon.automation.ExtensionAutomation.lambda$runPlanAsync$2(ExtensionAutomation.java:285) ~[?:?]
        at java.lang.Thread.run(Unknown Source) [?:1.8.0_321]

But the spider scan and the active scan works ok. Cannot see any issues with the starting URl.

Best regards,
Edvin

Simon Bennetts

unread,
Feb 15, 2022, 10:23:13 AM2/15/22
to OWASP ZAP User Group
Well, thats the problem :)
Can you give us suitably redacted versions of the URLs?
Otherwise we cant help very much :/

Cheers,

Simon

Edvin Eriksson

unread,
Feb 15, 2022, 11:00:05 AM2/15/22
to OWASP ZAP User Group
In the context there is this URl in the "include to context"


And when I check the starting URI in the context in the automation env it is


With the regex include:


In the Authentication in the context the same URI is copied twice (Login Form Target URL and URL to GET Login Page)


I hope this makes sense. I can´t see anymore place to put in a URL. 

Cheers,
Edvin

Simon Bennetts

unread,
Feb 15, 2022, 12:41:06 PM2/15/22
to OWASP ZAP User Group
What URL are  you specifying in the spiderAjax job?

Cheers,

Simon

Edvin Eriksson

unread,
Feb 16, 2022, 9:25:43 AM2/16/22
to OWASP ZAP User Group
I managed to get a successful run now by tweaking some parameters. Perhaps it was because of that. However on another note, I´ve noticed that sometimes when loading yaml files there is an error message that says something with -1. I can see if I can get an example, unless you have seen it before?
Anyways thank you very much for the help on the ajaxspider issue.

Cheers,
Edvin

Simon Bennetts

unread,
Feb 16, 2022, 9:36:50 AM2/16/22
to OWASP ZAP User Group
Good to hear you've got the ajax spider working :)
Please send us the error messages - we _might_ know about them, but if not then we can look into them.

Many thanks,

Simon

Edvin Eriksson

unread,
Feb 16, 2022, 10:30:47 AM2/16/22
to OWASP ZAP User Group
I will send them as soon as I see them again. I have another question but I open a new subject instead so it is less confusing for anyone else browsing.

Cheers,
Edvin

Vineet Sadawari

unread,
Mar 16, 2022, 7:52:31 AM3/16/22
to OWASP ZAP User Group
Edvin,
Could you please send the redacted Yaml File that used for Scanning?

Getting Same issue as you got.

Thanks.

Reply all
Reply to author
Forward
0 new messages