OWASP ZAP: Problems to run OWASP ZAP against an Application which uses VAADIN

[Jens Kuzminski]

Hello,

 

for a couple of weeks I tried witout success to configure ZAP 2.7 to run against an web application which uses the VAADIN framework.

 

Now – since two weeks - I try it with the OWASP weekly build and the newly feature “Authentification Status”.

My problem is: after a valid application login the following pages are moved. It seems to be that ZAP do not get the application context.

--> I cannot idenify the needed/rights configuration.

 

I hope you can help me or give a hint.

Many thanks and best regards

Jens

[Simon Bennetts]

I'm afraid I know very little about the VAADIN framework, and suspect other people here will be in the same position.

Can you explain in a lot more detail what you have done and why it appears not to be working for you?

Cheers,

Simon

[Jens Kuzminski]

I'm using the current OWASP ZAP weekly build.

And in the tab "Authentification Status" the funcionality "Check status".

The configuration looks fine

When I then start the "Scan" I receive the following result:

When I only change the "Starting Point":

and start the "Scan" I receive the following result:

This results looks much better. But I'm not sure if these a base for a valid scan.

How can I identify that my configuration is well and complete?

It will be great to get information about indicators for a valid scan base.

Regards

Jens

[kingthorin+owaspzap]

Some of the guidance here might help: https://github.com/zaproxy/zaproxy/wiki/FAQframeworkvaadin

[Jens Kuzminski]

Many thanks for this useful hint!