Automated Scan returns 404, Manual Scans work as expected

[Bernard FitzGerald]

Hi, very new to ZAP so I'm sure there are obvious things I'm not understanding here.

I have a React app that I'm trying to scan in my corporate environment.

When I use the quick start and point at my site I get the error message:

Failed to attack the URL: recieved a 404 response code, expeted 2xx

If I use the manual scan option I can see the site, I also get the HUD and can (to my knowledge) perform any of the tasks.

I have checked the ZAP.log file and can't see any issues.

I am running:

• Linux Ubuntu 22.04.3 box
• Java 21.0.2
• ZAP 2.14.0
• There is no proxy on my network
• There is a self-signed certificate for the site I'm testing
  • I can SSLPoke the site with no issues
  • There is only one Java version installed
  • Site is considered secure by Firefox
• I have installed a version of Firefox outside of snap install
  • I have set Selenium options to point to this version of Firefox
  • I have set the proxy of this browser to localhost:8080 including SSL sites
• In Tools->Options->Network->Connection I have tried enabling unsafe SSL/TLS negotiation
• The site being tested is running in a k8s cluster, the site can be viewed from Firefox with no issue

I've read the docs on connecting in corporate environments and FAQ on working with self-signed certificates to no avail.

Can anyone point me in the right direction?

Thanks, Bernie.

[Bernard FitzGerald]

64799 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Sending GET https://xxx.yyy.com
64802 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - No session tokens for: xxx.yyy.com:443
64804 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Sending message to: https://xxx.yyy.com
64811 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.addon.network.internal.client.ZapProxySelector - Selected proxies for socket://xxx.yyyy.com:443 [DIRECT]
64877 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - SUCCESSFUL
64877 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Received response after 72ms for GET https://xxx.yyy.com
64877 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - No session tokens for: xxxx.yyy.com:443
64879 [ZAP-QuickStart-AttackThread] DEBUG org.zaproxy.zap.extension.quickstart.AttackThread - Failed to access URL https://xxx.yyy.com

This is the automated scan DEBUG log if it helps

[Bernard FitzGerald]

Apologies in bumping this, but is this situation familiar to anyone?

[Bernard FitzGerald]

I believe I have found the culprit. No idea why (yet) but the VITE react site returns a 404 before actually loading the site. ZAP hits the 404 first and then doesn't continue on. I'm tipping that if the first response wasn't a 404 then the scan would have been fine.

[Simon Bennetts]

Thats strange.

Try disabling the HUD, you wont need that when automating.

Note that there are lots of ways to automated ZAP, as summarised on https://www.zaproxy.org/docs/getting-further/automation/automation-options/

the Automation Framework will give you much more flexibility to handle situations like this.

Cheers,

Simon