Limiting attack mode queue

100 views
Skip to first unread message

Inder

unread,
Mar 14, 2023, 10:04:49 PM3/14/23
to OWASP ZAP User Group
I am running ZAP as a daemon in attack mode to automatically scan the endpoints crawled by an automated script. I have a separate workflow which monitors the queue through the API and waits for the queue to clear before exporting a report. However, in some cases, ZAP seems to keep adding new endpoints and the scan runs infinitely. Therefore, I am looking for a way to limit what is being added to the queue. 

I'm wondering if it's possible to limit attack mode to only add new hosts to the queue when observed over the proxy rather than from the spider or responses. 

If that is not possible, is there some sort of API request which can signal to ZAP to stop adding items to the queue or switch modes without clearing the queue?


Simon Bennetts

unread,
Mar 15, 2023, 7:52:55 AM3/15/23
to OWASP ZAP User Group
I'm always a bit confused when people use attack mode in automation. It was always intended to be a manual only option ;)

ZAP doesnt add requests to the queue on its own.
The requests are always proxied through ZAP.
This can be via a browser, unit tests, the 2 spiders etc.

Right now there is no way to limit the attack mode to ignore the spiders.
That could be added, but would it really be that useful?

Can you check to see what requests are being added to the queue and then work out where they are coming from?
You can always change the ZAP mode from Attack to Standard in order to stop the active scan.

Cheers,

Simon

Inder

unread,
Mar 15, 2023, 12:07:40 PM3/15/23
to OWASP ZAP User Group
It seems like the requests are being added from the responses. I'm unable to clearly figure out what exactly is going on since the exported session doesn't include the active scan history when using daemon mode. I don't believe anything is being added from the spider since I specified to exclude everything from the spider in the context. Monitoring that, no spider scans are started. However, I believe they could still be added from the Ajax spider? Changing to standard mode isn't an option because the queue gets cleared and all the required scans don't finish.

I think the feature to limit inputs for attack mode or even an API handler to stop adding new requests to the queue would be great for automation. 

Alternatively, I believe I could possibly use the beforeScan method in the ScannerHook interface to stop scans as they are added (https://javadoc.io/doc/org.zaproxy/zap/latest/org/parosproxy/paros/core/scanner/ScannerHook.html). I'm unsure how to implement this into a script though.

Thank you!
Reply all
Reply to author
Forward
0 new messages