zap api scan works without context but with context it fails

Kineye

unread,

Aug 23, 2023, 10:21:26 AM8/23/23

to ZAP User Group

This is the command I run to scan my api

sudo docker run --env ZAP_AUTH_HEADER_VALUE="AUTHENTICATION TOKEN" -v $(pwd):/zap/wrk/:rw softwaresecurityproject/zap-stable zap-api-scan.py -t openapi.json -f openapi \
-r report.html

It works but I want it to stop scanning certain urls so i created a context in the gui with an url regex to include in context and one to exclude. I then exported this context and linked it in the docker scan with -n My.context

When running the now modified command I get the error:

WARN API - Bad request to API endpoint [/JSON/ascan/action/scan/] from [127.0.0.1]:
org.zaproxy.zap.extension.api.ApiException: URL_NOT_IN_CONTEXT (url)

I assumed that excluding an url would stop any requests to that url. Am I doing this wrong or is the scan not working as intended?

Thanks in advance :)

psiinon

unread,

Aug 23, 2023, 10:28:22 AM8/23/23

to zaprox...@googlegroups.com

Most of the import jobs do not yet fully support contexts.

That will need to be fixed as part of authentication support: https://github.com/zaproxy/zaproxy/issues/8021

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/93e2acc8-38a0-4473-ad79-686cd44f5978n%40googlegroups.com.

--

ZAP Project leader

Kineye

unread,

Aug 25, 2023, 4:54:20 AM8/25/23

to ZAP User Group

Thanks Simon,

Is there a workaround for blocking certain urls? As I am not able to do it successfully via the set a config value on the command line blogpost. I tried several variations on options but the urls would still get scanned.

Thanks

psiinon

unread,

Aug 25, 2023, 5:12:50 AM8/25/23

to zaprox...@googlegroups.com

You could create an httpsender script which 404's the URLs you dont want to be accessed.

We have some proxy scripts which you could convert: https://github.com/zaproxy/community-scripts/tree/main/proxy

Also see https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8f2d921b-15fb-4d6c-8c48-c764799defcan%40googlegroups.com.

--

ZAP Project leader

Kineye

unread,

Aug 28, 2023, 12:31:21 PM8/28/23

to ZAP User Group

I have attempted to implement this by just using the community script "Drop requests via URL regexes.zst" but it doesn't seem to actually block the selected urls. I have tried it in the ui and via the commandline. I enabled it in both. I used the same method to add a standalone script which wrote to the terminal and that worked so my method of adding the script should be right. The regexes are the same as the ones I use in the ui session settings and they work there but not with the script.

psiinon

unread,

Aug 29, 2023, 3:22:23 AM8/29/23

to zaprox...@googlegroups.com

Have you checked the zap.log file to make sure that there are no errors, eg when loading the script?

https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/bf105254-3383-4ea8-8966-368332c8513fn%40googlegroups.com.