How to use the global exclude parameter in a config file?
675 views
Skip to first unread message
Orsolya Kerner
Jan 27, 2021, 8:39:20 AM1/27/21
to OWASP ZAP User Group
Hi Everyone,
I would like to use this config parameters in a separate config file:
globalexcludeurl.url_list.url(0).regex='^.*xyz\.xy-zw\.co\.uk.*$'
globalexcludeurl.url_list.url(0).enabled=true
globalexcludeurl.url_list.url(1).regex='^.*swagger\.yaml$'
globalexcludeurl.url_list.url(1).enabled=true
globalexcludeurl.url_list.url(0).enabled=true
globalexcludeurl.url_list.url(1).regex='^.*swagger\.yaml$'
globalexcludeurl.url_list.url(1).enabled=true
for ZAP proxy which runs in a docker container.
It seems the ZAP disregards them because the scanning report still includes the url which containes the swagger.yaml.
May I use incorrect regex expression? Or May I use wrong format for config parameters?
Thanks,
Orsolya
eri...@augment1security.com
Jan 27, 2021, 9:28:36 AM1/27/21
to OWASP ZAP User Group
Hi
Orsolya,
You can check your regex using Tools -> Regular Expression Tester (you need the regular expression tester addon installed).
Youe swagger regex looks correct. Maybe you can remove the single quotes? The examples in https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/ do not have quotations around the values.
Another thing, can you provide the command you are using to trigger the scan via docker?
Another thing, can you provide the command you are using to trigger the scan via docker?
Best
Regards,
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec
Orsolya Kerner
Jan 28, 2021, 8:21:04 AM1/28/21
to OWASP ZAP User Group
Hi Eric,
Sorry about the delay. I checked my regex using Tools -> Regular Expression Tester and I have removed the single quotes around it.
My main problem with this url (this example is dummy one):
globalexcludeurl.url_list.url(0).regex='^.*bla\.blabla\.blabla-bla\.co\.uk.*$'
globalexcludeurl.url_list.url(0).enabled=true
globalexcludeurl.url_list.url(0).enabled=true
because that url is a thirdparty url which I do not want the ZAP proxy to scan at all.
I run a python test via ZAP proxy which tests api endpoints (with simple requests to the my api endpoints via ZAP proxy) and some of endpoints have redirects to the url that is in the global exclude url, but I see this in the ZAP proxy log:
"owasp-zap | 94803 [ZAP-ProxyThread-2] WARN org.parosproxy.paros.core.proxy.ProxyThread - Failed to read http://bla.blabla.blabla-bla.co.uk/xsi-actions/v2.0/user/x...@test.com/services within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel."
I do not know it means ZAP would like to scan that thirdparty url or not.
When I get the report by this command: "zap-cli report -o ulpreport.html -f html", the report does not include any information about that thirdparty url just about my api endpoints/urls.
Thanky,
Orsolya
Reply all
Reply to author
Forward
0 new messages