regex in yaml file
1,257 views
Skip to first unread message
janik D
Oct 5, 2022, 5:54:27 AM10/5/22
to OWASP ZAP User Group
I am attempting to use regex in a yaml automation file for docker to exclude a path.
When attempting with these options:
excludePaths:
- "^.*\.cache\.html"
- "^.*\.cache\.html"
I get this error:
Unexpected error accessing file /zap/wrk/automation.yaml : while scanning a double-quoted scalar
in 'reader', line 12, column 7:
- "^.*\.cache\.html"
^
found unknown escape character .(46)
in 'reader', line 12, column 12:
- "^.*\.cache\.html"
^
in 'reader', line 12, column 7:
- "^.*\.cache\.html"
^
found unknown escape character .(46)
in 'reader', line 12, column 12:
- "^.*\.cache\.html"
^
Which is fair as I am using an escape character. So i escaped the escape character:
excludePaths:
- "^.*\\.cache\\.html"
But now the path isn't excluded during the scan. I used https://regex101.com/r/XLPF85/1 to ensure my original regex was correct
is this a bug or am i implementing this wrong?
janik D
Oct 5, 2022, 7:57:15 AM10/5/22
to OWASP ZAP User Group
The paths I am trying to exclude are any paths that end with .cache.html
Simon Bennetts
Oct 5, 2022, 8:42:08 AM10/5/22
to OWASP ZAP User Group
Pro tip - test this in the ZAP desktop in a new context.
Then, when its working, create an Automation Framework plan using that context - it should get the format right :)
Cheers,
Simon
janik D
Oct 10, 2022, 4:35:54 AM10/10/22
to OWASP ZAP User Group
Thanks Simon,
I have tried this now, the format in the Automation Framework plan created by the GUI is the same as the edited one I created when escaping the characters that needed escaping. Also when running the plan with the regex or even the specific page excluded the automated scan still scans the page. I know this as I am getting errors from zap due to this page and am repeatedly seeing the page in the terminal output:
JavaScript warning: https://website.com/app/page/otherpage/123456789ABC.cache.html, line 2336: unreachable code after return statement
1665390674383 Marionette WARN Ignoring event 'DOMContentLoaded' because document has an invalid readyState of 'complete'.
JavaScript error: https://website.com/app/page/otherpage/123456789ABC.cache.html, line 3606: uncaught exception: com.google.gwt.core.client.JavaScriptException: (SecurityError) : Permission denied to access property "alert" on cross-origin object
1665390674383 Marionette WARN Ignoring event 'DOMContentLoaded' because document has an invalid readyState of 'complete'.
JavaScript error: https://website.com/app/page/otherpage/123456789ABC.cache.html, line 3606: uncaught exception: com.google.gwt.core.client.JavaScriptException: (SecurityError) : Permission denied to access property "alert" on cross-origin object
The page does match the Regex though.
I have just noticed that even adding these pages explicitly in the context then creating an automation job from this context in the gui and then running the job doesn"t exclude these pages from the scanner.
Simon Bennetts
Oct 10, 2022, 6:03:29 AM10/10/22
to OWASP ZAP User Group
Once you have run the plan in the ZAP desktop, do the .cache.html pages have the "target" icon on them in the Sites tree?
Cheers,
Simon
janik D
Oct 10, 2022, 6:52:06 AM10/10/22
to OWASP ZAP User Group
I ran it in zap desktop and didn't see it in the tree, I will now run that automation file again but with docker and see if the problem is fixed
janik D
Oct 11, 2022, 4:51:11 AM10/11/22
to OWASP ZAP User Group
It now works. So fix was just creating the context and automation file from that fully in the gui and then using that with the small edit of the working directory being /zap/wrk/ in the yaml file instead of the one created in the GUI.
Simon Bennetts
Oct 11, 2022, 5:36:44 AM10/11/22
to OWASP ZAP User Group
Great - thanks for letting us know!
Reply all
Reply to author
Forward
0 new messages