ZAP active scanner doesn't scan urls spidered by Ajax spider in Automation Framework
20 views
Skip to first unread message
priya dharshini
Jan 8, 2026, 3:42:16 AM (2 days ago) Jan 8
to ZAP User Group
Hi Simon ,
During Automation Framework , I can see URL's are populated during spider and AJAX spider . As per docs, I added passive scan wait for the scan to get completed.
As last joB I have added active scan . Problem is in the report I am seeing only for URL generated by spider and not AJAX spider . Am I missing anything here.
Image : zaproxy/zap-stable:latest
1) My doubt is authentication is happening or not ? If authentication is not successful, api and other urls will not be populated inside Ajax spider?
2) In report , URL is reaching till dashboard only . Do I need to modify anything in requester or Poll URL ?
3) I am sharing a template here, Please guide what am I missing here.
Thanks in advance for your time and support .
Priya
During Automation Framework , I can see URL's are populated during spider and AJAX spider . As per docs, I added passive scan wait for the scan to get completed.
As last joB I have added active scan . Problem is in the report I am seeing only for URL generated by spider and not AJAX spider . Am I missing anything here.
Image : zaproxy/zap-stable:latest
1) My doubt is authentication is happening or not ? If authentication is not successful, api and other urls will not be populated inside Ajax spider?
2) In report , URL is reaching till dashboard only . Do I need to modify anything in requester or Poll URL ?
3) I am sharing a template here, Please guide what am I missing here.
Thanks in advance for your time and support .
Priya
env:
contexts:
- name: oauth2
urls:
includePaths:
excludePaths:
authentication:
method: browser
parameters:
loginPageUrl: https://xxxxxxxxxxxxxxxxxxxx/
browserId: firefox-headless
diagnostics: true
loginPageWait: 5
verification:
method: poll
loggedInRegex: \/dashboards\/
loggedOutRegex: \Q 401 Unauthorized\E
pollFrequency: 60
pollUnits: requests
sessionManagement:
method: autodetect
users:
- name: creds
credentials:
password: xxxxxx
username: xxxxxx
jobs:
- type: requestor
parameters:
user: creds
requests:
method: GET
responseCode: 302
method: GET
responseCode: 200
- type: passiveScan-config
rules:
- name: Absence of Anti-CSRF Tokens
id: 10202
threshold: low
- name: Anti-clickjacking Header
id: 10020
threshold: low
- name: Application Error Disclosure
id: 90022
threshold: low
- name: Authentication Request Identified
id: 10111
threshold: low
- name: Big Redirect Detected (Potential Sensitive Information Leak)
id: 10044
threshold: low
- name: CSP
id: 10055
threshold: low
- name: Charset Mismatch
id: 90011
threshold: low
- name: Content Security Policy (CSP) Header Not Set
id: 10038
threshold: low
- name: Content-Type Header Missing
id: 10019
threshold: low
- name: Cookie No HttpOnly Flag
id: 10010
threshold: low
- name: Cookie Poisoning
id: 10029
threshold: low
- name: Cookie Without Secure Flag
id: 10011
threshold: low
- name: X-Content-Type-Options Header Missing
id: 10021
threshold: low
- name: Cookie without SameSite Attribute
id: 10054
threshold: low
- name: Cross-Domain JavaScript Source File Inclusion
id: 10017
threshold: low
- name: Cross-Domain Misconfiguration
id: 10098
threshold: low
- name: HTTP Server Response Header
id: 10036
threshold: low
- name: Directory Browsing
id: 10033
threshold: low
- name: HTTPS to HTTP Insecure Transition in Form Post
id: 10042
threshold: low
- name: HTTP to HTTPS Insecure Transition in Form Post
id: 10041
threshold: low
- name: Heartbleed OpenSSL Vulnerability (Indicative)
id: 10034
threshold: low
- name: Private IP Disclosure
id: 2
threshold: low
- name: Stats Passive Scan Rule
id: 50003
threshold: low
- name: X-AspNet-Version Response Header
id: 10061
threshold: low
- name: Username Hash Found
id: 10057
threshold: low
- name: Session ID in URL Rewrite
id: 3
threshold: low
- name: Weak Authentication Method
id: 10105
threshold: low
- name: Verification Request Identified
id: 10113
threshold: low
- name: X-Backend-Server Header Information Leak
id: 10039
threshold: low
- type: spider
parameters:
context: oauth2
user: creds
parseDsStore: null
parseSitemapXml: false
- type: passiveScan-wait
parameters: {}
- type: spiderAjax
parameters:
context: oauth2
user: creds
numberOfBrowsers: 10
browserId: firefox-headless
runOnlyIfModern: false
inScopeOnly: true
clickDefaultElems: false
clickElemsOnce: false
randomInputs: true
scopeCheck: Strict
elements:
- "a"
- "button"
- "input"
tests:
- name: At least 100 URLs found
type: 'stats'
onFail: INFO
statistic: 'stats.spiderAjax.urls.added'
operator: '>='
value: 100
- type: passiveScan-wait
parameters: {}
- type: activeScan-config
parameters:
injectPluginIdInHeader: true
inputVectors:
urlQueryStringAndDataDrivenNodes:
enabled: true
odata: true
postData:
enabled: true
multiPartFormData: true
xml: true
json:
enabled: true
urlPath: true
httpHeaders:
enabled: true
allRequests: true
cookieData:
enabled: true
encodeCookieValues: true
scripts: true
- type: activeScan
parameters:
context: oauth2
user: creds
defaultStrength: low
defaultThreshold: medium
addQueryParam: false
injectPluginIdInHeader: false
scanHeadersAllRequests: false
threadPerHost: 4
policyDefinition:
defaultStrength: low
defaultThreshold: medium
rules:
- id: 40018
enabled: true
strength: low
- id: 40012
enabled: true
strength: low
- id: 90019
enabled: true
strength: low
- id: 10031
enabled: true
strength: low
- id: 40020
enabled: false
- id: 40024
enabled: false
- id: 20012
enabled: false
- id: 20014
enabled: false
- id: 40003
enabled: false
- type: report
parameters:
template: traditional-html
reportFile: zap-full-scan-report.html
reportTitle: ZAP by Checkmarx Scanning Report
Reply all
Reply to author
Forward
0 new messages