ZAP session data

[Usman Waheed]

Hi,

I was curious to know if it is possible to extract the alerts info from the session data logs that get generated upon an active or passive scan?

I can use the API to extract the alerts and lots of other information but was wondering if any of this info (alerts, urls etc) is also saved in any of the session files that get generated.

I looked through some of the *session.data files created for my test runs but could not find any info about alerts in them.

Can these session files be used to store to look for the info or are they just keeping facts about what urls were scanned and so forth (the actions taken) and not the results.

Thanks,

Usman

[Simon Bennetts]

Hi Usman,

We've got some info about the session db on the wiki: http://code.google.com/p/zaproxy/wiki/InternalDatabase
All of the core db code is in the org.parosproxy.paros.db package.
The alerts are help in the ALERT table.

The session db contains all of the requests and responses made manually and by the automated tools, ie everything :)

However we dont recommend that you rely on the db format - that can change between releases.
The API is our supported way of accessing session data - if theres something you cant access via the API then let us know and we can add it.

Cheers,

Simon

[Usman Waheed]

Hi Simon,

Thanks for pointing me to the docs.

I do have a question related to session data which goes as follows:

Using the API as of today i create a new session and proxy URLS's through ZAP. Then i perform an Active Scan and see if ZAP finds anything interesting.

This is all done via a Java program. The question i have is lets say i start session A and do the above for a bunch of URL's and while this is running, i start a second session B and perform the same for a separate set of URL's. The problem i run into is when session B starts, it clears contents of session A.

If i don't use the new session method and just proxy both set of tests A & B through ZAP then the site tree just builds. Over the course of time i would assume this would become a problem so i might then have to write something that would clear everything once the tests are done. 

Is there a way i can isolate session information in ZAP when two different sets of URL's are being proxied + active scanned via the API? Or will i have to wait for one test to finish and then launch the second one after. I figured maybe a solution might be to store the results of the test runs to a log file and then have a third party script parse the logs to get results but at the moment i dont think i can do that. I hope i made sense here.

Thanks,

Usman

[Simon Bennetts]

Hi Usman,

A ZAP session covers everything that you do via that ZAP instance - having 2 concurrent sessions is not currently possible in one instance of ZAP.
However you can have multiple instances of ZAP running.
You will need to specify 2 different 'home' directories using the -dir command line option, and also different ports for ZAP to listen on (via configs or the command line).

You can also filter some of the information you get back from the API on a per site basis, such as the alerts and messages.

How would you like it to work (apart from supporting multiple ZAP sessions which isnt practical right now)?
Would you like to be able to clear out messages and or alerts on a site / url basis?
What other information would you like to be able to retrieve per site?

I'm very happy to extend the API to handle these sort of requirements.

Cheers,

Simon

[Usman Waheed]

Greetings Simon,

Would you like to be able to clear out messages and or alerts on a site / url basis?

It would be very useful for users to be able to clear out messages + alerts on a site/url basis as you mentioned in your last post.

The reasoning  is that it helps to manage what is in the site tree, the message(s) and alerts stored in the session and to basically clear

out information that we don't need after performing a passive + active scan on sites + specific urls. So yes, an API method that allows

us to do that would be very cool to have and in that way i create just one instance of ZAP, have only one session in which i do all my 

tests for various projects and clear the results + messages once the tests are done. No need for me to create a separate instance for each

project i need to handle.

I guess i am looking at ZAP down the road to become more like a server that could handle multiple independent sessions and manage the information

in that manner. It defintely suffices what we need today and is awesome for automation via the api etc.

Many Thanks,

Usman

[Benjamin Walther]

Seconding a request for a "clear messages" API call.

Going to script up a SQL call through HSQLDB for now.

Loading 1GB+ sessions just for the alert data is annoying.

[Simon Bennetts]

I'm good with that.
Would one of you like to raise an enhancement request for this?
If you do it then you'll get emails when we start working on it ;)

Re 'ZAP as a server' - I actually proposed this for a Google Summer of Code project: https://www.owasp.org/index.php/GSoC2014_Ideas#OWASP_ZAP_-_As_a_long_running_service
Unfortunately no students applied for it :(
But I'd still like it to happen, so if anyone fancies taking this on (and it will be non trivial) ...

Cheers,

Simon

[nera liu]

just curious anybody has raised this feature request yet?

[thc...@gmail.com]

Hi.

Nope.

Best regards.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.