Quick Start> Automated Scan> Spider not capturing URLs

[ramya patri]

Hi Members,

I am looking for help on Spider configuration in ZAP that will help me capture maximum URLs in the application.

I have setup the session using HTTP sessions and provided the application URL to the browser that is provided within ZAP, so proxy is pre-configured.

In URL to attack under automated scan, I gave the application URL and hit Attack.

Spider scan started, but only very few end points got collected, that too ones like .js, .css files and nothing else. Spider used the session I provided.

I had configured Spider options to crawl maximum depth and maximum requests by setting the values to 0 (Tools>Spider>Options) and also selected all type of requests to be captured.

Not sure if I am missing anything.

Any help on this please?

Thanks,
Ramya Patri.

[Simon Bennetts]

Hi Ramya,

Is your an application a modern one? In other words does it use JavaScript to create the links?

If so you'll need to use the Ajax Spider.

Cheers,

Simon

[ramya patri]

Thanks for the response, I am not sure if it uses js to create links, but I have enabled Ajax Spider as well.

[ramya patri]

looks like Ajax Spider is not logging into app at all. Not sure what's wrong.

[Simon Bennetts]

I don't know either, because I dont have access to your application :)

Howeever if it uses authentication then you need to configure ZAP to understand it.

Thats non trivial, but we've recorded a whole workshop just on this topic: https://www.zaproxy.org/addo-auth-workshop/