Automating AJAX Spider
362 views
Skip to first unread message
bclark
Sep 26, 2022, 12:17:08 PM9/26/22
to OWASP ZAP User Group
Hi,
I have been trying to accomplish the task of automating ZAP to test my web application. As I started this process, everything went well until I got to the AJAX Spider.
Process: I go to add job, click spiderAjax, add Default Context, select the URL I want to attack, show advanced options and select Chrome as the Browser Id and hit save.
Results: No chrome window shows when the job is started. When the automation gets to the AJAX job, it will have a yellow circle, status: running, and info OK: []. It never gets past this job. When I run a regular spider after some time, the status goes to OK and the info shows the job completed.
I have tried some different approaches with my website and also attacking the Juice Shop and have gotten the same results. My overall question would be why does the AJAX not produce any results when ran in automation? Along with why is the AJAX not producing a window showing the process of the spider in automation like it does outside automation?
Thanks for taking the time to help.
I have been trying to accomplish the task of automating ZAP to test my web application. As I started this process, everything went well until I got to the AJAX Spider.
Process: I go to add job, click spiderAjax, add Default Context, select the URL I want to attack, show advanced options and select Chrome as the Browser Id and hit save.
Results: No chrome window shows when the job is started. When the automation gets to the AJAX job, it will have a yellow circle, status: running, and info OK: []. It never gets past this job. When I run a regular spider after some time, the status goes to OK and the info shows the job completed.
I have tried some different approaches with my website and also attacking the Juice Shop and have gotten the same results. My overall question would be why does the AJAX not produce any results when ran in automation? Along with why is the AJAX not producing a window showing the process of the spider in automation like it does outside automation?
Thanks for taking the time to help.
kingthorin+owaspzap
Sep 26, 2022, 12:59:17 PM9/26/22
to OWASP ZAP User Group
bclark
Sep 26, 2022, 2:12:31 PM9/26/22
to OWASP ZAP User Group
Thanks for the quick response.
I have already been to that page and came to the user group page.
kingthorin+owaspzap
Sep 26, 2022, 5:53:12 PM9/26/22
to OWASP ZAP User Group
So what was in the log file ?
What version of Chrome do you have installed?
What platform?
What version of Java?
What version of Java?
bclark
Sep 27, 2022, 12:34:51 PM9/27/22
to OWASP ZAP User Group
The error showing - [ZAP-Automation] ERROR UncaughtExceptionLogger - Exception in thread "ZAP-Automation"
java.lang.IllegalStateException: The starting URI does not belong to the context:
java.lang.IllegalStateException: The starting URI does not belong to the context:
ZAP - 2.11.1
Chrome - 105.0.5195.127
Platform - Windows 10
Java - 1.8.0_332
kingthorin+owaspzap
Sep 27, 2022, 1:01:39 PM9/27/22
to OWASP ZAP User Group
"The starting URI does not belong to the context" seems to sum it up pretty clearly.
bclark
Sep 27, 2022, 1:03:30 PM9/27/22
to OWASP ZAP User Group
More on the error, if I remove the selected URL, AJAX will finish but with 0 URLs found and the Chrome window is still not opening. If I keep the URL selected, this error shows.
Simon Bennetts
Sep 28, 2022, 3:51:03 AM9/28/22
to OWASP ZAP User Group
I think that is a bug that should be fixed in the latest Ajax Spider release (last Friday).
Can you make sure you have this version and try again?
Cheers,
Simon
bclark
Sep 29, 2022, 12:17:36 PM9/29/22
to OWASP ZAP User Group
Hi guys,
I have updated to the newest version and have tried rerunning all of the automation. I still am having no luck with the AJAX spider. I am stuck and am confused on what I am doing wrong.
If I right click on the URL I am attacking under 'sites' and use the AJAX spider, it brings up the Chrome Window, runs for whatever amount of time and finds so many URLs. It works fine.
I then clear the session, open the 'Automation' tab, add the default context, add a spiderAjax job, add the deafult context to that and hit the run button. The spiderAjax job finds no URLs and doesn't bring up a window.
Is there something I am missing for it to run correctly? I have had success with the automation of active scan and the regular spider but it seems that I just can't get the spiderAjax.
I appreciate you both taking the time to help,
Brody
Simon Bennetts
Sep 30, 2022, 3:33:19 AM9/30/22
to OWASP ZAP User Group
Have you updated all of the add-ons?
If not then do that because I know a couple of bugs were fixed in the Ajax Spider one.
If it still doesnt work then check the zap.log file: https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file
Cheers,
Simon
bclark
Sep 30, 2022, 1:56:06 PM9/30/22
to OWASP ZAP User Group
The add-ons seem to be what I was missing.
Thank you for taking the time to help and have a great weekend,
Brody
Reply all
Reply to author
Forward
0 new messages