I've been reading and reading as much as possible in the help files, forums and links. Thanks, still need help.
On Tuesday, December 13, 2016 at 11:32:09 AM UTC-6, Wendell Fry wrote:I'm looking at sending our code to our client and then giving them a simple way to use ZAP to scan the code for themselves, besides them just using Fortify.ZAP in medium attack mode takes over 3 days and in Low mode takes under 2 days to scan the code locally on my machine, so we want to possibly use command line or daemon mode.
I'm thinking we need to tell command or daemon where to attack, and where to save the results to (newsession). I suppose it will want the proper permissions and context (which is in the context file).I'm having a problem, I use the command : zap -cmd -newsession E:\OWASP_ZAP\sessions\20161213-01-1106am.session -quickurl http://localhost -quickprogressand I get "Failed to attack the URL: Received a 401 response code."If I use "localhost:8090" I first get "spidering" and then get "Failed to attack the URL: Scans are not allowed on targets not in scope when in Protected mode: http://localhost:8090."I presume that it's pulling the mode from my config file, so it would need a context file scope to go by, which should be http://localhost (which it used when I was scanning in Protected mode in the GUI). So localhost mustbe in scope (not sure), but it is not giving a proper response giving out the 401 response code.
While Protected mode is a very good option for the UI I wouldnt recommend it for automation. Just leave ZAP in Standard mode and you wont have to worry about setting up contexts.
However if you really do want to use it then we can talk you around the problems you're seeing.
Am I on the right track? Any suggestions? In the GUI, spidering localhost gave us the full url list, and then "active scan" gave us the necessary results. Want to do that with the cmd prompt. Thanks! - Wendell