ZAP docker full scan with ajax spider versus the desktop automated scanning results inconsistency

[Vijendhar]

I have run the docker full scan of a target url and the same on the desktop with automated scan. However the results on Desktop show a couple high alerts for sql injection whereas the docker version does not report any of them and both are getting the same urls. 

Any idea why this could be happening and what am i missing?

[Simon Bennetts]

There are all sorts of things that could be going wrong.

The most likely thing is that ZAP is not exploring your app effectively in the docker scan.

First of all, check the zap.log file:

https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

After that look at https://www.zaproxy.org/docs/docker/diagnosing-problems/

Cheers,

Simon

[Vijendhar]

I was able to get the correct/better results with additional config show below with ' -z"-config ".  

sh 'zap-full-scan.py -i -I -a -j -t https://example.com  -x zapreport.xml -r zapreport.html -z "-config scanner.addQueryParam=true -config scanner.antiCSRF=true -config scanner.attackPrompt=true -config scanner.attackRescan=true -config scanner.scanNullJsonValues=true -config scanner.injectable=31  -config scanner.enabledRPC=191  -config scanner.advDialog=false -config scanner.scanHeadersAllRequests=true "'

[Simon Bennetts]

Thanks for letting us know.

The plan is to be able to export all of the current desktop settings as an Automation Framework plan .. but we're not there yet ..

Cheers,

Simon