Issues with Active Scans for Script based Authenticationas a User via ZAP AP

26 views
Skip to first unread message

Naveen Sabavath

unread,
Nov 6, 2024, 1:51:52 PMNov 6
to ZAP User Group

Hello, 

I'm facing an issue while  Active scans as a user via the ZAP API, and I'd like to ask for help or any insights.

Problem Description:

I have implemented the following methods for performing a Spider scan and Active scan as a user within a specific context in ZAP using the Java Client API.

Spider Scan Method:
java


private void performSpiderScanAsUser(String target, ClientApi clientApi, String userId, String CONTEXT_ID) throws ClientApiException, InterruptedException {
    // Start Spider Scan as the specified user within the context
    ApiResponse response = clientApi.spider.scanAsUser(CONTEXT_ID, userId, target, null, "true", null);

    String scanId = ((ApiResponseElement) response).getValue();

    // Poll the status of the spider scan until it completes
    int progress;
    while (true) {
        progress = Integer.parseInt(((ApiResponseElement) clientApi.spider.status(scanId)).getValue());
        System.out.println("Spider scan progress: " + progress + "%");
        if (progress >= 100) {
            break;
        }
        Thread.sleep(5000);
    }

    System.out.println("Spider scan completed.");
}


Active Scan Method :


private void performActiveScanAsUser(String target, ClientApi clientApi, String userId, String CONTEXT_ID) throws ClientApiException, InterruptedException {
    // Start Active Scan as the specified user within the context
    ApiResponse response = clientApi.ascan.scanAsUser(target, CONTEXT_ID, userId, "true", null, "POST", postData);

    String scanId = ((ApiResponseElement) response).getValue();

    // Poll the status of the active scan until it completes
    int progress;
    while (true) {
        progress = Integer.parseInt(((ApiResponseElement) clientApi.ascan.status(scanId)).getValue());
        System.out.println("Active scan progress: " + progress + "%");
        if (progress >= 100) {
            break;
        }
        Thread.sleep(5000);
    }

    System.out.println("Active scan completed.");
}


Issue:

  • Spider Scan: The Spider scan seems to complete successfully after polling the status, but I'm unsure whether it fully crawls all URLs or is missing any elements.

  • Active Scan:

    • I’m sending a POST request with the following postData to the target URL. 
    • I have verified that the postData and target URL are correct
    • I also ensured that the userId and CONTEXT_ID are properly passed  on ZAP UI

Naveen Sabavath

unread,
Nov 8, 2024, 6:24:35 AM (13 days ago) Nov 8
to zaprox...@googlegroups.com
Url Not Found in Scan Tree is the Error ….. Need Help

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/8b45188a-f254-4acd-b46a-2ebc0e76b100n%40googlegroups.com.

Simon Bennetts

unread,
Nov 8, 2024, 12:23:09 PM (13 days ago) Nov 8
to ZAP User Group
Asking related questions on different threads makes things very confusing.
Please stick to one thread - in this case lets use the other one, as I already replied there.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages