Security Testing of single page application with ZAP
134 views
Skip to first unread message
shashank shekhar
Oct 9, 2023, 12:13:12 PM10/9/23
to ZAP User Group
Hey , spider is stuck on a single page and cannot iterate to other urls in a website based on angular. Anyone have experience doing this please reply
Simon Bennetts
Oct 9, 2023, 12:14:34 PM10/9/23
to ZAP User Group
Which spider?
Is it finding any of the URLs?
Cheers,
Simon
shashank shekhar
Oct 9, 2023, 12:29:47 PM10/9/23
to ZAP User Group
I initially used the traditional spider, which successfully handled authentication. However, it only scanned the page for which I provided the URL. When attempting to use the Ajax spider, it encountered difficulties with the authentication process, preventing it from progressing further in the scanning process.
Cheers,
Shashank
Simon Bennetts
Oct 9, 2023, 12:33:04 PM10/9/23
to ZAP User Group
Hi Shashank,
You will need to use the AJAX Spider to explore your app - the traditional spider cannot handle javascript, although it may still find some useful links.
Have a look at authentication auto-detection: https://www.zaproxy.org/docs/authentication/auto-detection/
If that works then it will also work with the AJAX spider :)
And if it doesnt then let us know more details and we'll see if we can fix it...
Cheers,
Simon
shashank shekhar
Oct 9, 2023, 12:37:15 PM10/9/23
to ZAP User Group
Is authentication tester dialog is available to ZAP 2.7.0?
Cheers,
Shashank
Simon Bennetts
Oct 9, 2023, 12:40:50 PM10/9/23
to ZAP User Group
2.7.0 ????
That was released in 2017!
No.
The Authentication Tester dialog was released this year.
We only support the latest ZAP release, currently 2.13.0.
We do not update any add-ons for anything other than the latest release.
Cheers,
Simon
shashank shekhar
Oct 9, 2023, 12:48:32 PM10/9/23
to ZAP User Group
Okay i will update my ZAP. Also can you please tell what does authentication-auto detection does?
Cheers,
Shashank
Simon Bennetts
Oct 9, 2023, 12:55:29 PM10/9/23
to ZAP User Group
Thats explained on https://www.zaproxy.org/docs/authentication/auto-detection/
If thats not clear then let us know and we'll aim to improve it.
Theres also this video: https://youtu.be/RCi9W77bGpI
Cheers,
Simon
shashank shekhar
Oct 9, 2023, 2:33:22 PM10/9/23
to ZAP User Group
Thankyou
In my application, both the frontend and backend are hosted on different ports, and the login process is routed through a gateway on yet another port. Is this setup a potential concern?
Cheers,
Shashank
Simon Bennetts
Oct 9, 2023, 3:15:41 PM10/9/23
to ZAP User Group
That should not matter.
Cheers,
Simon
shashank shekhar
Oct 14, 2023, 8:37:44 PM10/14/23
to ZAP User Group
Hello, I've updated my ZAP version, and I'm wondering if there's a way to set up authentication in the quick start process?
Cheers,
Shashank
Message has been deleted
shashank shekhar
Oct 14, 2023, 8:55:48 PM10/14/23
to ZAP User Group
Also when i scan my url using quick start method login request is not showing in site node so how can i setup authentication?
Simon Bennetts
Oct 16, 2023, 4:37:31 AM10/16/23
to ZAP User Group
Reply all
Reply to author
Forward
0 new messages