ZAP tests locking the user account out

7 views
Skip to first unread message

Mark Oliver

unread,
Jun 24, 2022, 11:33:39 AM6/24/22
to OWASP ZAP User Group

Hi,

I am using ZAP on my web application and the tests are authenticating as a user.  Fairly early on in the scan its finding the user’s account page and it’s changing the password and, being an administrator, it can also find the settings for the group that that user account is in and marks it as disabled.  So the account is getting blocked in a couple of ways, and will impact the tests that ZAP then does after this as it can no longer reach certain pages.

This must be a common problem and I just wanted to check that my expectation of how you deal with this is correct.  I’m thinking that I need to craft a set of regular expressions that will block ZAP from POSTING back to the pages that can, for example, change their password.

When there is a page that can edit multiple things is there a way of allowing ZAP to post back from it but exclude certain values from being changed?  So, for example, on the user’s group page it could edit the group’s name but not mark it as disabled.

Thanks for any assistance or comments,

Mark

Reply all
Reply to author
Forward
0 new messages