How to save, replay and extend manual exploration?

181 views
Skip to first unread message

christian kolbl

unread,
Nov 23, 2021, 7:28:00 AM11/23/21
to OWASP ZAP User Group
Hi there,
I'm relatively new to ZAP and meanwhile a read a lot about it and also watched Simon Bennetts talks on StackHawk.
I figured, that it is possible to make a "scan as you browse" attempt with ZAP. Now here is my usecase:
Since i don't have the same test coverage, api documentation etc. on all my applications (esp. the old ones) I need a way to integrate ZAP in CI/CD for those. In my opinion a foolproof way would be to just click through the whole application and proxy the traffic through ZAP. Assuming now i have everything covered I still have two open points I could not figure out yet:
1. How can I save this "clicking through the application" to use it within ZAP during the CI/CD in daemon mode?
2. How could I extend this collection if new functionalities would be added to the application?

If anyone has a better idea how to cover old applications, that do not have any well formed API documentations (like OpenAPI), selenium tests or what so ever, I'd appreciate any suggestions.

Bye Bye,
Christian

Simon Bennetts

unread,
Nov 23, 2021, 7:33:21 AM11/23/21
to OWASP ZAP User Group
Hi Christian,

In ZAP terminology thats "exploring" the app.
If you dont have good tests then you can use the standard spider and/or ajax spider.
Search for the tag "explore" on https://www.zaproxy.org/videos-list/

Cheers,

Simon

christian kolbl

unread,
Nov 23, 2021, 7:46:59 AM11/23/21
to OWASP ZAP User Group
Hi Simon,

thank you for the quick response. I'll have a look on that!

Bye,
Christian

christian kolbl

unread,
Nov 24, 2021, 9:42:36 AM11/24/21
to OWASP ZAP User Group
I watched a lot of the suggested videos (thanks again for pointing me to the resource!) and I'd like to share my approach with you.

1. Making the URL-collection extendable later on => Start ZAP wit GUI and save the session.
2. Exploring the application:
2.1.: Manual Exploring
2.2.: Maybe set input values via the Form Handler add-on
2.3.: Spider -> to find links we "forgot" during manual exploring
2.4.: Ajax-Spider -> same
2.5.: Force Browsing to find default settings that might be leftover.
3. Export URL-list
4. Using ZAP in CI/CD with URL-list in Attack-Mode
5. Create report 
6. In case of enhancements on the application, restart the session and expand the URL-list accordingly.

Please let me know if this approach does not make any sense.

Bye,
Christian
Reply all
Reply to author
Forward
0 new messages