ZAP command-line scope

[matt]

Looking to run via CI the zap-baseline script against some web properties. When I use a context file (even though I don't specify any included URLs) it scans into the various pages. Without a context file (even though it's authenticated) it just looks at the root url.

Is there a way to specify via command-line to include the current url as in-scope? I'm trying to avoid using the context file because the contents would have to be dynamic for our various user testing accounts and urls as part of the CI pipeline.

Thanks.

[Simon Bennetts]

Thats really difficult to say without knowing much more about your application.

When using the baseline scan the whole site is in scope by default, so in theory you dont have to do anything.

But life is never that simple and you've clearly got a case where that doesnt work.

I always recommend that people start by using the ZAP desktop, even if you just want to use ZAP in automation.

It much easier to see whats going on and to try things out.

There will be limits to what you can do without a context file.

However the context file format is not that complicated so you could generate a context file dynamically with the required details.

Cheers,

Simon

[matt]

Thanks for the reply, Simon.

Just to give some more details on my 'issue'. When I pass in a context file to the baseline scanner that just has these include/exclude urls...

        <inscope>true</inscope>

        <excregexes>https://some.thirdparty.com.*</excregexes>

...the scanner will scan my top level URL and try the various forms and such on the page and drill down.

If I scan without that context file (but still authenticated) it will just scan the top level URL but will not work with the forms nor drill down. That's why I was thinking I need to tell it somehow the scope. The only other stuff in the context is just for authentication.

[Simon Bennetts]

Can you paste sanitized versions of your include regexes?

Have you tested them in the desktop?

I suspect that they are not including the lower level URLs...

[matt]

I have no include regexes. The context file just has that one exclude regex.

[Simon Bennetts]

Then you have nothing in scope and ZAP is doing the right thing :)

You need to include URLs not just exclude them.

[matt]

If I scan in the GUI then yes I have to include the URL. BUT when I'm scanning via the zap-baseline.py script the context file has no include URLs in it and it is working - scanning the forms and below. The problem is when I don't specify a context it doesn't scan the page forms and below.

That's why I was wondering what's going on there and why does a context file without includes work, but not using a context file does not and is there anything I can do about that.

Thanks again.

[Simon Bennetts]

If you supply a URL then ZAP treats everything under it as in scope because thats all you've given us.

If you supply a context then that takes precedence.

By default contexts dont include anything. The only alternative would be that contexts include everything but then we could end up trying to scan the whole internet :)

The UI does actually work in the same way.

Define a context like you have now and then try to perform an active scan specifying that context - nothing should get scanned.

You need to specify an include regex patterm if you use contexts, thats just the way it is :)

Cheers,

Simon