http session token for Spider/Active scan and Zap on Windows Server

303 views
Skip to first unread message

David S.

unread,
Feb 15, 2021, 5:44:30 PM2/15/21
to OWASP ZAP User Group
Hi
I started using ZAP a couple of weeks ago. I have a couple beginner questions.

The site uses form based login (username/password) then passes the sessionid token to continue the rest of browsing/editing etc. Spider/Active scan look running ok, I can see the sessionid is part of the scan. 

1) If I export the site url list from  ZAP   system say A and import them into a different ZAP system say B, I will have to login the site from B's integrated Firefox before starting a scan on B (so it can use the sessionid token), is it correct? Also do I need to re-spider the site first before doing Active scan on B?

Active scan should report the same result on both A and B ZAPs, shouldn't it?

2) Is there a particular difference by using ZAP on Windows 10 or Windows Server 2019? I had one ZAP on Windows Server 2019. The regular Firefox is fine when accessing the site but the ZAP integrated Firefox keeps reporting network error accessing some xsl/xml files, error parsing xsl etc. I don't see this problem on W10 ZAP.

Thanks in advance. David


ramya patri

unread,
Feb 16, 2021, 12:21:47 AM2/16/21
to OWASP ZAP User Group
Sorry to hijack your thread, but I was looking help to setup Spider scan by providing authentication. Can you share the steps please? I followed the below steps, but it doesn't capture anything from the application.
1. Captured the Login Request in the sites tree
2. Marked this request as 'Form Based Authentication' and set the user and password parameters. When I manual crawl through the application, active scan uses this form authentication I provided.

But when I use Spider / Ajax Spider, nothing gets crawled

Any help here please?

Regards,
Ramya.

Simon Bennetts

unread,
Feb 16, 2021, 4:24:23 AM2/16/21
to OWASP ZAP User Group
1) Why??
Exporting URLs lists from ZAP on one system to import into another one is really not recommended, you loose far too much information.
You should really explore you application from scratch each time, by proxying unit tests, using the spiders or importing API definitions, whatever you have available.
If your site uses authentication then ideally you should configure ZAP to understand that authentication. For more on that see these videos: https://www.zaproxy.org/addo-auth-workshop/

2) In theory no, ZAP will run the same on any machine with a JVM, whether its a flavour of Windows, MacOS, Linux etc etc.
In practice yes, because you are using different machines which have different applications installed, different networking set ups etc etc.
However the results should be roughly equivalent. If not then you have a problem with one of your systems.

Cheers,

Simon

Simon Bennetts

unread,
Feb 16, 2021, 4:25:31 AM2/16/21
to OWASP ZAP User Group
Ramya - please dont ask the same questions on multiple threads. I've replied on the other thread your started.

David S.

unread,
Feb 16, 2021, 10:24:36 AM2/16/21
to OWASP ZAP User Group
Thanks for the info.

Regarding "...You should really explore you application from scratch each time...",  say I fix one XSS issue for an URL, I need to rescan the whole system from scratch and I can't just re-Active Scan that troubled URL, right?

/david 

Simon Bennetts

unread,
Feb 16, 2021, 11:04:26 AM2/16/21
to OWASP ZAP User Group
Sorry, I should have been a bit more precise :)
If you want to ensure you test the whole application then yes, you should explore it again.
If you are just testing that a specific issue is fixed then you might be able to scan just that URL again. But that does depend on your app :)

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages