Need help with Automation plan warnings for status 202

[Priyam Pratap Singh (Devil)]

I'm running an Automation plan on my kali linux using a yaml file, it works fine gives me traditional-json report with more than 300 URLs found.

But when I'm running it on Amazon EC2 kali server using same Yaml file, it just gives 1 URL in report and throws this warning at the end of terminal : 

Automation plan warnings : job spider error accessing url https://www.***.com/ status code returned : 202 expected 200.

I can't figure out what's wrong, please help to identify and resolve this problem.

It is only happening with one of my websites, working fine for others.

Here's my YAML config : 

---

env:

  contexts:

  - name: "defaultcontext"

    urls:

      - "%URL%"

    includePaths:

    excludePaths: []

    sessionManagement:

      method: "http"

      parameters: {}

  parameters:

    failOnError: true

    failOnWarning: false

    progressToStdout: true

  vars: {}

jobs:

- parameters:

    context: "defaultcontext"

    maxDuration: 10

    maxDepth: 5

    maxChildren: 100

  name: "spider"

  type: "spider"

- parameters:

    context: "defaultcontext"

    maxDuration: 10

    maxCrawlDepth: 5

  name: "spiderAjax"

  type: "spiderAjax"

 

- parameters:

    template: "traditional-json"

    reportDir: "/opt/pentester/result/"

    reportFile: "zapUrl%FILE_NAME%.json"

  type: "report"

[kingthorin+zap]

Re: https://groups.google.com/g/zaproxy-users/c/HcJFtY_Txgw/m/km2WP4OqAAAJ

Please don't cross posts and pollute other threads. This is a community support area, if someone has something to add they'll add it eventually.

In this case there isn't enough detail for us to answer, you have access to the environment(s) you tell us what the difference is. We have no clue why you get a 200 in one case and a 202 in another, check the traffic.

[Simon Bennetts]

That is just a warning which you can ignore. FYI you plan is actually ignoring it :)

I was wondering if we should treat all 2xx codes as a pass, but then I re-read the 202 description on https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/202 :

• The HyperText Transfer Protocol (HTTP) 202 Accepted response status code indicates that the request has been accepted for processing, but the processing has not been completed; in fact, processing may not have started yet. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place.
• 202 is non-committal, meaning that there is no way for the HTTP to later send an asynchronous response indicating the outcome of processing the request. It is intended for cases where another process or server handles the request, or for batch processing.

I'm not sure that we can treat 202 as an unqualified response.

I recommend you double check exactly what is being returned in this case.

Cheers,

Simon