ZAP scanning only a specific page/URL

[Dan Cornell]

All:

I was working over the weekend to put together a script that would set up a new ZAP session and scan a specific URL (not an entire site). This is what I came up with:

https://github.com/denimgroup/threadfix-examples/blob/master/web_app_attack_surface/zap.py

The process is basically:

-Set up new session

-Call core.access_url to get the URL into the session. Doesn't recognize potential inbound parameters at this point

-Spider the URL with maxchildren=0, recurse=False, and subtreeonly=True. This gets ZAP to recognize some parameters that can be passed in.

-Sleep for a second (for some reason just waiting for the spider to finish doesn't seem to work)

-For each URL in the session (original, URL w/ parameters, a junk entry or two depending on URL path):

    -Active scan with recurse=False

-Wait for all active scans to finish

This works reasonably well, but seems to have more steps than I'd expect. Just wanted to check with the group to see if anyone had a more elegant way to accomplish this.

Thanks,

Dan

[Simon Bennetts]

Hey Dan, this is really neat :)

Re the sleep - ZAP adds URLs to the sites tree in a background thread so that it doesnt slow down browsing too much.
One way to avoid having to sleep would be to poll the number of records left to passive scan: pscan / recordsToScan
We do that in zap-baseline.py although you'll probably want a much shorter poll time ;)
The passive scanning is done in the same thread that adds the URLs to the sites tree, so that will have been done once the recordsToScan is zero. This will only work if nothing else is being proxied via ZAP.

Other than that it looks about right to me - you could submit a PR to the community-scripts repo, we have a section for api scripts now: https://github.com/zaproxy/community-scripts/tree/master/api
Be good to have the hardcoded values passed in as parameters of course ;)

Many thanks,

Simon