Issue with Spider scan-as-user API call
479 views
Skip to first unread message
Mukila Sri
Apr 18, 2016, 8:31:18 AM4/18/16
to OWASP ZAP User Group
Hi,
Facing issue in spidering a webpage with user authentication through a command line tool Zap-cli( using python API). I followed the steps mentioned in https://github.com/zaproxy/zaproxy/wiki/FAQformauth.
What i observed :
Spidering is successful on ZAP GUI - by selecting the context and username manually and run spider (recursively found 2000+ urls)
On calling the spider API (http://zap/UI/spider/action/scanAsUser/) with recurse true - The authentication is successful, but seems like the crawling is not complete(found only 20+ urls). The logged in indicators are set(assuming they are correct, as it works fine in GUI).
Running spider in ZAP GUI with recursive "disabled", gives the result same as spidering through API - i.e found only 20+ urls
Seems like the Spider scan-as-user API doesn't take the recurse option or by default it is taking "disabled".
Is it a bug?? or am i missing something?? please guide me..
I also observed that Spider scan-as-user API call posts ZAP in username and password instead of the stored user credentials. Seems like this issue was already reported in https://github.com/zaproxy/zaproxy/issues/2079.
Does anyone have a solution for this issue?
Thanks,
Mukila
thc...@gmail.com
Apr 19, 2016, 5:50:30 AM4/19/16
to zaprox...@googlegroups.com
Hi.
The differences in the results might be because of issue 2282. [1]
In some cases it would not use all seeds available.
Could you try running with a weekly release? [2]
Regarding the spider sending ZAP values, that's the expected behaviour
of the spider when filling forms (there's no distinction between login
form and other forms). As long as the spider has a seed after the login
page it should work as expected, since it will automatically
authenticate when spidering other (protected) pages.
[1] https://github.com/zaproxy/zaproxy/issues/2282
[2] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
The differences in the results might be because of issue 2282. [1]
In some cases it would not use all seeds available.
Could you try running with a weekly release? [2]
Regarding the spider sending ZAP values, that's the expected behaviour
of the spider when filling forms (there's no distinction between login
form and other forms). As long as the spider has a seed after the login
page it should work as expected, since it will automatically
authenticate when spidering other (protected) pages.
[1] https://github.com/zaproxy/zaproxy/issues/2282
[2] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Mukila Sri
Apr 20, 2016, 5:05:27 AM4/20/16
to OWASP ZAP User Group
Thanks a lot for your guidance. I tried with the weekly release : Spidering with API call for a whole context
It is working fine and the results are similar as expected in GUI.
Regards,
Mukila
thc...@gmail.com
Apr 20, 2016, 9:32:23 AM4/20/16
to zaprox...@googlegroups.com
Great. Thanks for letting us know!
Best regards.
> <https://github.com/zaproxy/zaproxy/wiki/FAQformauth>.
Best regards.
> >
> >
> > What i observed :
> > Spidering is successful on ZAP GUI - by selecting the context and
> > username manually and run spider (recursively found 2000+ urls)
> >
> > On calling the spider API (http://zap/UI/spider/action/scanAsUser/
> <http://zap/UI/spider/action/scanAsUser/>) with
> >
> > What i observed :
> > Spidering is successful on ZAP GUI - by selecting the context and
> > username manually and run spider (recursively found 2000+ urls)
> >
> > On calling the spider API (http://zap/UI/spider/action/scanAsUser/
> > recurse true - The authentication is successful, but seems like the
> > crawling is not complete(found only 20+ urls). The logged in
> indicators
> > are set(assuming they are correct, as it works fine in GUI).
> >
> > Running spider in ZAP GUI with recursive "disabled", gives the result
> > same as spidering through API - i.e found only 20+ urls
> >
> > Seems like the Spider scan-as-user API doesn't take the recurse
> option
> > or by default it is taking "disabled".
> >
> > Is it a bug?? or am i missing something?? please guide me..
> >
> >
> > I also observed that Spider scan-as-user API call posts ZAP in
> username
> > and password instead of the stored user credentials. Seems like this
> > issue was already reported in
> > https://github.com/zaproxy/zaproxy/issues/2079
> <https://github.com/zaproxy/zaproxy/issues/2079>.
> > crawling is not complete(found only 20+ urls). The logged in
> indicators
> > are set(assuming they are correct, as it works fine in GUI).
> >
> > Running spider in ZAP GUI with recursive "disabled", gives the result
> > same as spidering through API - i.e found only 20+ urls
> >
> > Seems like the Spider scan-as-user API doesn't take the recurse
> option
> > or by default it is taking "disabled".
> >
> > Is it a bug?? or am i missing something?? please guide me..
> >
> >
> > I also observed that Spider scan-as-user API call posts ZAP in
> username
> > and password instead of the stored user credentials. Seems like this
> > issue was already reported in
> > https://github.com/zaproxy/zaproxy/issues/2079
> >
> > Does anyone have a solution for this issue?
> >
> >
> > Thanks,
> > Mukila
> >
> >
>
> > Does anyone have a solution for this issue?
> >
> >
> > Thanks,
> > Mukila
> >
> >
>
Reply all
Reply to author
Forward
0 new messages