Scanning multiple pages

129 views
Skip to first unread message

Humbulani Lucky

unread,
Aug 1, 2022, 5:08:28 AM8/1/22
to OWASP ZAP User Group
Hi, 

I'm starting to learn OWASP ZAP with selenium,  and I have few questions I need clarity on,

1. Does the scan goes through every page in the website or it only scan the landing page? and if not, do I need to call the scan method() every time I navigate through pages?
2. And with the auto generated report,  using clientApi.core.htmlreport() always come with unwanted url, like  update.googleapis, storage.googleapis, how do i filter this?

Any assistance will be much appreciated.
Thanks

Simon Bennetts

unread,
Aug 1, 2022, 5:14:35 AM8/1/22
to OWASP ZAP User Group
Answers inline:

On Monday, 1 August 2022 at 11:08:28 UTC+2 Humbulani Lucky wrote:
Hi, 

I'm starting to learn OWASP ZAP with selenium,  and I have few questions I need clarity on,

1. Does the scan goes through every page in the website or it only scan the landing page? and if not, do I need to call the scan method() every time I navigate through pages?

ZAP does what you tell it to do - you can choose to scan one page or scan a whole site.
However if you app supports authentication then you will need to configure ZAP to handle it otherwise it will only be able to access public pages.
 
2. And with the auto generated report,  using clientApi.core.htmlreport() always come with unwanted url, like  update.googleapis, storage.googleapis, how do i filter this?

That endpoint is very limited and is no longer recommended to be used.
We recommend that you use the Report Generation add-on: https://www.zaproxy.org/docs/desktop/addons/report-generation/
That provides its own API and is much more flexible, and includes the option to limit URLs by sites.

Cheers,

Simon

Humbulani Lucky

unread,
Aug 1, 2022, 5:33:05 AM8/1/22
to OWASP ZAP User Group
Hi Simon, 

thanks for a quick reply, 

Could you please advise on how to choose to scan the whole site, or maybe some resources I can look at,

Thanks



Simon Bennetts

unread,
Aug 1, 2022, 5:38:03 AM8/1/22
to OWASP ZAP User Group
As you've already mentioned the ZAP API I'll assume you are automating ZAP :)
The recommended automation options are: https://www.zaproxy.org/docs/automate/
For many people the Automation Framework will be ideal.
If you want to keep using the API then see https://www.zaproxy.org/docs/api/

The Active Scanner scan method is defined here: https://www.zaproxy.org/docs/api/#ascanactionscan
See the "recurse" param? You'll want to supply "true" for that :)

Cheers,

Simon

Humbulani Lucky

unread,
Aug 1, 2022, 5:43:29 AM8/1/22
to OWASP ZAP User Group
Thank you,
Reply all
Reply to author
Forward
0 new messages