restrictions on AJAX SPIDER

mir

unread,

Mar 26, 2023, 4:08:50 AM3/26/23

to OWASP ZAP User Group

Hello,
I need to implement restrictions in AJAX SPIDER
I need a sample code to limit the investigation to 10 minutes, please
And is it possible to limit the number of addresses (for example, you will search up to 20 addresses..)

And another thing - is it possible to see at any given time the amount of URL addresses in PASSIVE SCAN
Thanks in advance

thc...@gmail.com

unread,

Mar 26, 2023, 6:15:42 AM3/26/23

to zaprox...@googlegroups.com

Hi.

With the option Maximum Duration.
https://www.zaproxy.org/docs/desktop/addons/ajax-spider/options/
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

The AJAX Spider does not currently allow to limit by number of URLs found.

Yes, with the API endpoint `pscan/view/recordsToScan/`.

Best regards.

mir

unread,

Mar 26, 2023, 6:38:31 AM3/26/23

to OWASP ZAP User Group

!Thank you very much

like zap.pscan.records_to_scan?
Because it didn't show me the exact amount...
I mean after a default scan before I run AJAXSCAN to check how many addresses there are,
And also in the middle of the AJAXSCAN because we will say to give a limit on 30 addresses to do SLEAP or something like that
So is there another option?

ב-יום ראשון, 26 במרץ 2023 בשעה 13:15:42 UTC+3, thc202 כתב/ה:

mir

unread,

Mar 26, 2023, 6:41:57 AM3/26/23

to OWASP ZAP User Group

-config connection.timeoutInSecs=60

How do you limit the AJAX runtime? Just add to the command that runs the docker? I wish there was code to add that would be more readable

ב-יום ראשון, 26 במרץ 2023 בשעה 13:15:42 UTC+3, thc202 כתב/ה:

Hi.

mir

unread,

Mar 26, 2023, 7:22:15 AM3/26/23

to OWASP ZAP User Group

i run

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.key=" apikey " -config connection.timeoutInSecs=300
And it didn't stop after 5 minutes,
I stopped it manually
The output blog

2023-03-26 14:01:51.139923 Starting AjaxSpider on target
2023-03-26 14:14:05.988887 An error occurred while using AjaxSpider: HTTPConnectionPool(host='', port=): Max retries exceeded with url: http://zap/JSON/ajaxSpider/view/status/?apikey=apikey (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))

Thanks in advance!!

ב-יום ראשון, 26 במרץ 2023 בשעה 13:41:57 UTC+3, mir כתב/ה:

thc...@gmail.com

unread,

Mar 26, 2023, 9:05:32 AM3/26/23

to zaprox...@googlegroups.com

What do you mean with exact amount? That will return the current
messages that need to be scanned, that will change over time as they are
scanned or found.

If you want to check URLs found to stop the spider use, use core.urls.

Best regards.

thc...@gmail.com

unread,

Mar 26, 2023, 9:05:43 AM3/26/23

to zaprox...@googlegroups.com

That configuration is unrelated to the AJAX Spider, you should use:
-config ajaxSpider.maxDuration=5

Best regards.

thc...@gmail.com

unread,

Mar 26, 2023, 9:08:23 AM3/26/23

to zaprox...@googlegroups.com

It seems that you are using the wrong API key, ZAP closes the connection
in that case.

Have you checked the Automation Framework? That's probably
simpler/easier to use:
https://www.zaproxy.org/docs/desktop/addons/automation-framework/

Best regards.

On 26/03/2023 12:22, mir wrote:

mir

unread,

Mar 27, 2023, 12:21:38 AM3/27/23

to OWASP ZAP User Group

Thank you very much for all the desire to help!

It seems that you are using the wrong API key" - no, no, it's just for sending here by email, it basically works, only occasionally it doesn't"

"Have you checked the automation framework? It probably is
Simpler/easier to use:"---Why is it good? Why do I need it?
I am attaching my code

import time
from zapv2 import ZAPv2
from datetime import datetime

# Default Spider
def ExploresByDefaultSpider(target_url, zap):
    print(f'{datetime.now} Spidering target {target_url}')
    try:
        scan_id = zap.spider.scan(url=target_url, maxchildren=1)

        while int(zap.spider.status(scan_id)) < 100:
            print(f'Spider progress %: {zap.spider.status(scan_id)}')
            time.sleep(1)

        print(f'{datetime.now} Spider has completed!')
        results = zap.spider.results(scan_id)
        for result in results:
            print(result)

    except Exception as e:
        print(f'{datetime.now} An error occurred while spidering: {str(e)}')

# Ajax Spider
def ExploresByAjaxSpider(target_url, zap):
    print(f'{datetime.now} Starting AjaxSpider on target {target_url}')
    try:
        zap.ajaxSpider.scan(url=target_url, subtreeonly=True)
        while zap.ajaxSpider.status == 'running':
            print(f'AjaxSpider progress %: {zap.ajaxSpider.status}')
            time.sleep(1)

        print(f'{datetime.now} AjaxSpider has completed!')
        ajaxResults = zap.ajaxSpider.results()
        for result in ajaxResults:
            print(result)

    except Exception as e:
        print(f'{datetime.now} An error occurred while using AjaxSpider: {str(e)}')

# passive scan
def passiveScan(target_url, zap):
    print(f'{datetime.now} Passive scanning')
    try:
        while (int(zap.pscan.records_to_scan) > 0):
            print('Records to passive scan : ' + zap.pscan.records_to_scan)
            time.sleep(2)
        print(f'{datetime.now} Passive scanning complete')
        alert_count = 0
        alerts = zap.alert.alerts(baseurl=target_url)
        
        while len(alerts) > 0:
            alert_count += len(alerts)
            for alert in alerts:
                if alert.get('risk') == 'High':
                    print(f'Alert with high risk level found: {alert}')
                if alert.get('risk') == 'Medium':
                    print(f'Alert with medium risk level found: {alert}')
                if alert.get('risk') == 'Low':
                    print(f'Alert with low risk level found: {alert}')
                if alert.get('risk') == 'Informational':
                    print(f'Alert with informational risk level found: {alert}')
        print(f'{datetime.now} Total number of alerts:', alert_count)
        
    except Exception as e:
        print(f'{datetime.now} An error occurred during passive scanning: {str(e)}')


if __name__ == '__main__':
    target_url = 'Here I write the URL to scan'
    api_key = 'And here is my APIKEY'
    try:
        zap = ZAPv2(apikey=api_key)
        ExploresByDefaultSpider(target_url, zap)
        ExploresByAjaxSpider(target_url, zap)
        passiveScan(target_url, zap)
    except Exception as e:
        print(f'{datetime.now} An error occurred main: {str(e)}')

ב-יום ראשון, 26 במרץ 2023 בשעה 16:08:23 UTC+3, thc202 כתב/ה:

mir

unread,

Mar 30, 2023, 2:15:36 AM3/30/23

to OWASP ZAP User Group

שמירת התרגום

Please can you help me a little more?
I still don't understand the Automation Framework thing, maybe there is an explanation how to add it to the python code that uses the zap python api
  I thank you very much for all the help!!

ב-יום שני, 27 במרץ 2023 בשעה 07:21:38 UTC+3, mir כתב/ה:

Simon Bennetts

unread,

Mar 30, 2023, 5:14:41 AM3/30/23

to OWASP ZAP User Group

The Automation Framework is completely separate from the ZAP API.

It allows you to control ZAP using a yaml file, which you can specify on the command line.

For more details see https://www.zaproxy.org/docs/desktop/addons/automation-framework/

You can also ask questions here of course, the more specific the better, in general.

Cheers,

Simon

mir

unread,

Mar 30, 2023, 5:20:51 AM3/30/23

to OWASP ZAP User Group

I understand,
So it is not related at all to those who want to write the code (as in Python) and use docker/deman, but to the desktop users
Right?
Really thanks for the quick help!!

ב-יום חמישי, 30 במרץ 2023 בשעה 12:14:41 UTC+3, psi...@gmail.com כתב/ה:

Simon Bennetts

unread,

Mar 30, 2023, 6:03:37 AM3/30/23

to OWASP ZAP User Group

Er, no :)

If you want to use ZAP manually then the desktop is the best option.

If you want to automate ZAP then you have choices:

The docker packaged scans / Github actions - these are fine for simple cases
The Automation Framework - this is more flexible than the packaged scans and is generally recommended
The API for when you want fine grained control over ZAP - most people probably wont need to use this

Cheers,

Simon

mir

unread,

Mar 30, 2023, 6:09:35 AM3/30/23

to OWASP ZAP User Group

Thank you very much!
I realised!,
I will now try to use it. There is an example of a project that uses "The Automation Framework - this is more flexible than the packaged scans and is generally recommended

ב-יום חמישי, 30 במרץ 2023 בשעה 13:03:37 UTC+3, psi...@gmail.com כתב/ה:

mir

unread,

Apr 4, 2023, 3:14:35 AM4/4/23

to OWASP ZAP User Group

Really appreciate the help!!
Please have an example of the automation framework. I want to see the file in its entirety,
And how do you run it
Thanks in advance

ב-יום חמישי, 30 במרץ 2023 בשעה 13:09:35 UTC+3, mir כתב/ה:

mir

unread,

Apr 4, 2023, 5:33:56 AM4/4/23

to OWASP ZAP User Group

I am trying to create a yaml file because I want to use the automation framework according to the explanation atautomation-framework
Attached is a photo from my terminal
But it doesn't create anything, you can see that after I wrote the command it tries and in the end doesn't create and nothing -

Can you help with this?
Thank you!

ב-יום שלישי, 4 באפריל 2023 בשעה 10:14:35 UTC+3, mir כתב/ה:

create yaml file.PNG

mir

unread,

Apr 13, 2023, 4:04:58 AM4/13/23

to OWASP ZAP User Group

Hello,
I am trying to create an automation-framework file
I run the command ./zap.sh -cmd -port 8090 -autogenmax zap.yaml on a remote Linux machine,
The file is indeed created but in the terminal it writes me the error
Failed to get template for job type: import
My zap.sh version is 2.12.0
Does it bother me when playing the file and if so, how do I fix it?
Thanks in advance!

ב-יום שלישי, 4 באפריל 2023 בשעה 12:33:56 UTC+3, mir כתב/ה:

Simon Bennetts

unread,

Apr 13, 2023, 4:41:28 AM4/13/23

to OWASP ZAP User Group

Can you share the yaml file?

Feel free to redact any sensitive information.

Cheers,

Simon

mir

unread,

Apr 13, 2023, 4:51:45 AM4/13/23

to OWASP ZAP User Group

thank you for the quick reply,
This is what was created:

env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication:
method: # String, one of 'manual', 'http', 'form', 'json' or 'script'
parameters: # May include any required for scripts. All of the parameters support vars except for the port
hostname: localhost # String, only for 'http' authentication
port: 8090 # Int, only for 'http' authentication
realm: # String, only for 'http' authentication
loginPageUrl: # String, the login page URL to read prior to making the request, only for 'form' or 'json' authentication
loginRequestUrl: # String, the login URL to request, only for 'form' or 'json' authentication
loginRequestBody: # String, the login request body - if not supplied a GET request will be used, only for 'form' or 'json' authentication
script: # String, path to script, only for 'script' authentication
scriptEngine: # String, the name of the script engine to use, only for 'script' authentication
verification:
method: # String, one of 'response', 'request', 'both', 'poll'
loggedInRegex: # String, regex pattern for determining if logged in
loggedOutRegex: # String, regex pattern for determining if logged out
pollFrequency: # Int, the poll frequency, only for 'poll' verification
pollUnits: # String, the poll units, one of 'requests', 'seconds', only for 'poll' verification
pollUrl: # String, the URL to poll, only for 'poll' verification
pollPostData: # String, post dat to include in the poll, only for 'poll' verification
pollAdditionalHeaders: # List of additional headers for poll request, only for 'poll' verification
- header: # The header name
value: # The header value
sessionManagement:
method: # String, one of 'cookie', 'http', 'script'
parameters: # List of 0 or more parameters - may include any required for scripts
script: # String, path to script, only for 'script' session management
scriptEngine: # String, the name of the script engine to use, only for 'script' session management
technology:
exclude: # List of tech to exclude, as per https://www.zaproxy.org/techtags/ (just use last names)
users: # List of one or more users available to use for authentication
- name: # String, the name to be used by the jobs
credentials: # List of user credentials - may include any required for scripts, vars supported
username: # String, the username to use when authenticating
password: # String, the password to use when authenticating
vars: # List of 0 or more variables, can be used in urls and selected other parameters
parameters:
failOnError: true # If set exit on an error
failOnWarning: false # If set exit on a warning
progressToStdout: true # If set will write job progress to stdout

jobs:

- type: alertFilter # Used to change the risk levels of alerts
parameters:
deleteGlobalAlerts: true # Boolean, if true then will delete all existing global alerts, default false
alertFilters: # A list of alertFilters to be applied
- ruleId: # Int: Mandatory alert rule id
newRisk: # String: Mandatory new risk level, one of 'False Positive', 'Info', 'Low', 'Medium', 'High'
context: # String: Optional context name, if empty then a global alert filter will be created
url: # String: Optional string to match against the alert, supports environment vars
urlRegex: # Boolean: Optional, if true then the url is a regex
parameter: # String: Optional string to match against the alert parameter field
parameterRegex: # Boolean: Optional, if true then the parameter is a regex, supports environment vars
attack: # String: Optional string to match against the alert attack field
attackRegex: # Boolean: Optional, if true then the attack is a regex
evidence: # String: Optional string to match against the alert evidence field
evidenceRegex: # Boolean: Optional, if true then the evidence is a regex
- type: passiveScan-config # Passive scan configuration
parameters:
maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule
scanOnlyInScope: true # Bool: Only scan URLs in scope (recommended)
maxBodySizeInBytesToScan: # Int: Maximum body size to scan, default: 0 - will scan all messages
enableTags: false # Bool: Enable passive scan tags, default: false - enabling them can impact performance
disableAllRules: false # Bool: If true then will disable all rules before applying the settings in the rules section
rules: # A list of one or more passive scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # String: The name of the rule for documentation purposes - this is not required or actually used
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
- type: script
parameters:
action: # String: The executed action - available actions: add, remove, run, enable, disable
type: # String: The type of the script
engine: # String: The script engine to use - can be used to override the default engine for the file extension
name: # String: The name of the script, defaults to the file name
file: # String: The full or relative file path, must be readable
target: # String: The URL to be invoked for "targeted" script type
- type: requestor # Used to send specific requests to targets
parameters:
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of headers
# - "header1:value1"
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
- type: graphql # GraphQL definition import
parameters:
endpoint: # String: the endpoint URL, default: null, no schema is imported
schemaUrl: # String: URL pointing to a GraphQL Schema, default: null, import using introspection on endpoint
schemaFile: # String: Local file path of a GraphQL Schema, default: null, import using schemaUrl
maxQueryDepth: # Int: The maximum query generation depth, default: 5
lenientMaxQueryDepthEnabled: # Bool: Whether or not Maximum Query Depth is enforced leniently, default: true
maxAdditionalQueryDepth: # Int: The maximum additional query generation depth (used if enforced leniently), default: 5
maxArgsDepth: # Int: The maximum arguments generation depth, default: 5
optionalArgsEnabled: # Bool: Whether or not Optional Arguments should be specified, default: true
argsType: # Enum [inline, variables, both]: How arguments are specified, default: both
querySplitType: # Enum [leaf, root_field, operation]: The level for which a single query is generated, default: leaf
requestMethod: # Enum [post_json, post_graphql, get]: The request method, default: post_json
- type: openapi # OpenAPI definition import
parameters:
apiFile: # String: Local file containing the OpenAPI definition, default: null, no definition will be imported
apiUrl: # String: URL containing the OpenAPI definition, default: null, no definition will be imported
context: # String: Context to use when importing the OpenAPI definition, default: null, no context will be used
targetUrl: # String: URL which overrides the target defined in the definition, default: null, the target will not be overridden
- type: soap # SOAP WSDL import
parameters:
wsdlFile: # String: Local file path of the WSDL, default: null, no definition will be imported
wsdlUrl: # String: URL pointing to the WSDL, default: null, no definition will be imported
- type: spider # The traditional spider - fast but doesnt handle modern apps so well
parameters:
context: # String: Name of the context to spider, default: first context
user: # String: An optional user to use for authentication, must be defined in the env
url: # String: Url to start spidering from, default: first context URL
maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDepth: # Int: The maximum tree depth to explore, default 5
maxChildren: # Int: The maximum number of children to add to each node in the tree
acceptCookies: # Bool: Whether the spider will accept cookies, default: true
handleODataParametersVisited: # Bool: Whether the spider will handle OData responses, default: false
handleParameters: # Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all
maxParseSizeBytes: # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
parseComments: # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true
parseGit: # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false
parseDsStore: # Bool: Whether the spider will parse .DS_Store files in order to find URLs, default: false
parseRobotsTxt: # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true
parseSitemapXml: # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true
parseSVNEntries: # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false
postForm: # Bool: Whether the spider will submit POST forms, default: true
processForm: # Bool: Whether the spider will process forms, default: true
requestWaitTime: # Int: The time between the requests sent to a server in milliseconds, default: 200
sendRefererHeader: # Bool: Whether the spider will send the referer header, default: true
threadCount: # Int: The number of spider threads, default: 2
userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one
tests:
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'automation.spider.urls.added' # String: Name of an integer / long statistic, currently supported: 'automation.spider.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
- type: spiderAjax # The ajax spider - slower than the spider but handles modern apps well
parameters:
context: # String: Name of the context to spider, default: first context
url: # String: Url to start spidering from, default: first context URL
maxDuration: # Int: The max time in minutes the ajax spider will be allowed to run for, default: 0 unlimited
maxCrawlDepth: # Int: The max depth that the crawler can reach, default: 10, 0 is unlimited
numberOfBrowsers: # Int: The number of browsers the spider will use, more will be faster but will use up more memory, default: 1
runOnlyIfModern: # Boolean: If true then the spider will only run if a "modern app" alert is raised, default: false
inScopeOnly: # Boolean: If true then any URLs requested which are out of scope will be ignored, default: true
browserId: # String: Browser Id to use, default: firefox-headless
clickDefaultElems: # Bool: When enabled only click the default element: 'a', 'button' and input, default: true
clickElemsOnce: # Bool: When enabled only click each element once, default: true
eventWait: # Int: The time in milliseconds to wait after a client side event is fired, default: 1000
maxCrawlStates: # Int: The maximum number of crawl states the crawler should crawl, default: 0 unlimited
randomInputs: # Bool: When enabled random values will be entered into input element, default: true
reloadWait: # Int: The time in milliseconds to wait after the URL is loaded, default: 1000
elements: # A list of HTML elements to click - will be ignored unless clickDefaultElems is false

tests:
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'spiderAjax.urls.added' # String: Name of an integer / long statistic, currently supported: 'spiderAjax.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String [warn, error, info]: Change this to 'warn' or 'error' for the test to take effect
- type: delay # Pause the plan for a set period of time or event (file created, programmatic method called, API endpoint called)
parameters:
time: # String: The time to wait, format any of ['hh:mm:ss', 'mm:ss', 'ss'], default: 0
fileName: # String: Name of a file which will cause the job to end early if created, default: empty
- type: passiveScan-wait # Passive scan wait for the passive scanner to finish
parameters:
maxDuration: 5 # Int: The max time to wait for the passive scanner, default: 0 unlimited
tests:
- name: 'test one' # Name of the test, optional
type: alert # Specifies that the test is of type 'alert'
action: passIfPresent/passIfAbsent # String: The condition (presence/absence) of the alert, default: passIfAbsent
scanRuleId: # Integer: The id of the scanRule which generates the alert, mandatory
alertName: # String: The name of the alert generated, optional
url: http://www.example.com/path # String: The url of the request corresponding to the alert generated, optional
method: # String: The method of the request corresponding to the alert generated, optional
attack: # String: The actual attack which generated the alert, optional
param: # String: The parameter which was modified to generate the alert, optional
evidence: # String: The evidence corresponding to the alert generated, optional
confidence: # String: The confidence of the alert, one of 'False Positive', 'Low', 'Medium', 'High', 'Confirmed', optional
risk: # String: The risk of the alert, one of 'Informational', 'Low', 'Medium', 'High', optional
otherInfo: # String: Addional information corresponding to the alert, optional
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
# - type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
# parameters:
# context: # String: Name of the context to attack, default: first context
# user: # String: An optional user to use for authentication, must be defined in the env
# policy: # String: Name of the scan policy to be used, default: Default Policy
# maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
# maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
# addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false
# defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
# delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
# handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
# injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
# scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
# threadPerHost: # Int: The max number of threads per host, default: 2
# policyDefinition: # The policy definition - only used if the 'policy' is not set
# defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
# defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
# rules: # A list of one or more active scan rules and associated settings which override the defaults
# - id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
# name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
# strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
# threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
# tests:
# - name: 'test one' # Name of the test, optional
# type: alert # Specifies that the test is of type 'alert'
# action: passIfPresent/passIfAbsent # String: The condition (presence/absence) of the alert, default: passIfAbsent
# scanRuleId: # Integer: The id of the scanRule which generates the alert, mandatory
# alertName: # String: The name of the alert generated, optional
# url: http://www.example.com/path # String: The url of the request corresponding to the alert generated, optional
# method: # String: The method of the request corresponding to the alert generated, optional
# attack: # String: The actual attack which generated the alert, optional
# param: # String: The parameter which was modified to generate the alert, optional
# evidence: # String: The evidence corresponding to the alert generated, optional
# confidence: # String: The confidence of the alert, one of 'False Positive', 'Low', 'Medium', 'High', 'Confirmed', optional
# risk: # String: The risk of the alert, one of 'Informational', 'Low', 'Medium', 'High', optional
# otherInfo: # String: Addional information corresponding to the alert, optional
# onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
- type: outputSummary # Print summary to stdout, primarily to mimic the behaviour of the packaged scans
parameters:
format: None # String: The format of the output, one of None, Short, Long, default: None
summaryFile: # String: The full path of a file into which will be written a JSON summary of the scan, default empty
- type: report # Report generation
parameters:
template: # String: The template id, default : modern
theme: # String: The template theme, default: the first theme defined for the template (if any)
reportDir: # String: The directory into which the report will be written
reportFile: # String: The report file name pattern, default: {{yyyy-MM-dd}}-ZAP-Report-[[site]]
reportTitle: # String: The report title
reportDescription: # String: The report description
displayReport: # Boolean: Display the report when generated, default: false
risks: # List: The risks to include in this report, default all
- high
- medium
- low
- info
confidences: # List: The confidences to include in this report, default all
- high
- medium
- low
- falsepositive
sections: # List: The template sections to include in this report - see the relevant template, default all

And I added the
- type: import #
parameters:
type: 'url' # String: One of ['har', 'modsec2', , 'zap_messages']
fileName: testZap # String: Name of the file containing the data

And now I run ./zap.sh -cmd -port 8090 -autorun zap.yaml
It starts working and then writes: Unexpected error accessing file /home/zap.yaml : null

ב-יום חמישי, 13 באפריל 2023 בשעה 11:41:28 UTC+3, psi...@gmail.com כתב/ה:

mir

unread,

Apr 13, 2023, 5:28:57 AM4/13/23

to OWASP ZAP User Group

in the log file

2023-04-13 12:24:13,579 [main ] ERROR ExtensionAutomation - null
java.lang.NullPointerException: null
at org.zaproxy.addon.reports.automation.OutputSummaryJob.verifyParameters(OutputSummaryJob.java:104) ~[?:?]
at org.zaproxy.addon.automation.AutomationPlan.<init>(AutomationPlan.java:119) ~[?:?]
at org.zaproxy.addon.automation.ExtensionAutomation.runAutomationFile(ExtensionAutomation.java:491) ~[?:?]
at org.zaproxy.addon.automation.ExtensionAutomation.execute(ExtensionAutomation.java:607) ~[?:?]
at org.parosproxy.paros.extension.ExtensionLoader.runCommandLine(ExtensionLoader.java:535) ~[zap-2.12.0.jar:2.12.0]
at org.parosproxy.paros.control.Control.runCommandLine(Control.java:442) ~[zap-2.12.0.jar:2.12.0]
at org.zaproxy.zap.CommandLineBootstrap.start(CommandLineBootstrap.java:91) ~[zap-2.12.0.jar:2.12.0]
at org.zaproxy.zap.ZAP.main(ZAP.java:94) ~[zap-2.12.0.jar:2.12.0]
2023-04-13 12:24:13,595 [main ] ERROR CommandLine - Unexpected error accessing file /home/zap.yaml : null - see log for details
2023-04-13 12:24:13,595 [main ] ERROR CommandLineBootstrap - null
java.lang.NullPointerException: null
at org.zaproxy.addon.automation.ExtensionAutomation.execute(ExtensionAutomation.java:609) ~[?:?]
at org.parosproxy.paros.extension.ExtensionLoader.runCommandLine(ExtensionLoader.java:535) ~[zap-2.12.0.jar:2.12.0]
at org.parosproxy.paros.control.Control.runCommandLine(Control.java:442) ~[zap-2.12.0.jar:2.12.0]
at org.zaproxy.zap.CommandLineBootstrap.start(CommandLineBootstrap.java:91) ~[zap-2.12.0.jar:2.12.0]
at org.zaproxy.zap.ZAP.main(ZAP.java:94) ~[zap-2.12.0.jar:2.12.0]
2023-04-13 12:24:18,617 [main ] INFO CommandLineBootstrap - OWASP ZAP 2.12.0 terminated.

ב-יום חמישי, 13 באפריל 2023 בשעה 11:51:45 UTC+3, mir כתב/ה:

thc...@gmail.com

unread,

Apr 16, 2023, 2:04:37 AM4/16/23

to zaprox...@googlegroups.com

Answered in the other thread[1]:
In the `outputSummary` job configuration add a valid path in
`summaryFile`, or remove the job.

[1] https://groups.google.com/g/zaproxy-develop/c/i6hjkgs5TKg/m/NSDvGhJfAAAJ

Best regards.

Reply all

Reply to author

Forward