Scan gets 403, resend gets 200

[rezervoar]

Hi,

I am having an issue as in title:

I am testing an API for a mobile app. I imported endpoints, all well. I set the headers, authorization token, everything well... Everything seems fine. Manually, I can do pretty much everything.

But, during active scan, all requests get "403 Forbidden" response.

When I stop or pause my scan and I resend any of the past requests,, I get "200"...

I experimented with active scan options, but nothing changed...

My first guess was that scan is too fast. I wanted to insert some pause between the requests, so I tried to increase scan delay. Looking at the timestamps, nothing changed in timing.

I'm stuck.

Any help. please.

Best regards

R.

[kingthorin+owaspzap]

Try setting the scan single threaded.

https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ascan/#concurrent-scanning-threads-per-host

[rezervoar]

Hi,

Thank you for your reply.

Unfortunately, this didn't work. I've already tried that even before my post.

Best regards,

R.

[Simon Bennetts]

Can you find out if a WAF or similar is being used?

Or find out from the service owner if they have any other tech involved which will try to prevent such attacks from being performed?

[rezervoar]

Hi,

I checked about WAF existence with service owner, and they said there is no WAF in place.

But, I found a peculiarity in ZAP behavior. It seems that I can not change the value for "Delay When Scanning" in Options/Active Scan within one session. Well, I can change it but the change is not effective - not only within the same (paused) scan but also within the successive scans (stop/start).

In order to change the delay, I have to start another session.

I don't know yet is it a bug or a feature. I would be glad to hear from you on this.

But, at least, now I know that there is a WAF - I set delay to 300ms and I get all 200.

Thank you all for your answers.

Best regards.

R.