ZAP - History Source

61 views
Skip to first unread message

Osama

unread,
Feb 24, 2022, 9:48:31 AM2/24/22
to OWASP ZAP User Group
Hello, 
In the history of ZAP, I understand that when the source = proxy, ZAP received this request/response and passed it.

My question is: does the source = Manual mean that the request was initiated from ZAP or HUD in this case since I'm using the firefox browser that is come with ZAP ?

Now, to give you a little bit more information about the case, I'll paste the issue that I opened on github

----  

ZAP HUD is active scanning all websites referred to by the original site you want to scan, even if they are not in allow list.

Description:
I'm running ZAP 2.11.1 on Ubuntu 20.04 inside a VM (VirtualBox). I was testing ZAP on JuiceShop for one of my course. I started ZAP, then I started the preconfigured Firefox Browser. I visited 127.0.0.1:3000 (juiceshop) and then chose to run the Spider, Ajax Spider, Active scanning on the 127.0.0.1:3000.
Suddenly after sometime, I found out that it's actually scanning other websites which mostly used by firefox and mozilla for different activities, such a: stop-tracking, etc

I thought that I misconfigured the test. I repeated the test again but this time I disabled the the network on the whole physical machine, I found out that it tried to active-scan firefox URLs but it got error 502 since there is no network this time.

I checked the log of the previous session and it's the same thing. HUD is trying to scan all sites.

Just to be clear here, in the log I got the history marks these requests as "Manual" and even I some requests were processed by ZAP and I got the window asking me whether I want to reply in console or in the browser ?

kingthorin+owaspzap

unread,
Feb 24, 2022, 12:21:19 PM2/24/22
to OWASP ZAP User Group
Source == Manual in history means you used the request editor and sent it manually (which can also be done via HUD).

Have you set a context? Do you have attack mode turned on?
The spider will of course make requests for content that is referenced however that does not mean it's being attacked.

Osama

unread,
Feb 25, 2022, 7:24:05 AM2/25/22
to OWASP ZAP User Group
I didn't set a context manually, I was only using HUD and I added the JuiceShop URL to the scope. I had the attack mode activated but to the best knowledge it should attack the URLs that are of a website in the scope.

Do I need to add the context manually ?

Best regards

Simon Bennetts

unread,
Mar 4, 2022, 5:20:12 AM3/4/22
to OWASP ZAP User Group
Adding a URL to the scope in the HUD does add it to the HUD context :)
Reply all
Reply to author
Forward
0 new messages