How to avoid logout URL while ZAP scan?
187 views
Skip to first unread message
Arpit
Oct 6, 2021, 11:52:14 AM10/6/21
to OWASP ZAP User Group
Hi,
final ApiResponse resp = api.ascan.scan(TARGET, "True", "False", null, null, null);
int progress;
// The scan now returns a scan id to support concurrent scanning
final String scanid = ((ApiResponseElement) resp).getValue();
// Poll the status until it completes
while (true) {
Thread.sleep(5000);
progress =
Integer.parseInt(
((ApiResponseElement) api.ascan.status(scanid)).getValue());
System.out.println("Active Scan progress : " + progress + "%");
if (progress >= 100) {
break;
}
}
System.out.println("Active Scan complete");
Report.generateHTMLReport("activeScan", new String(api.core.htmlreport(), StandardCharsets.UTF_8));
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
I login into my app using selenium steps and run the scans, how can tell ZAP to avoid a given logout URL?
This is my code:
public final class ActiveScan {
private static final int ZAP_PORT = Global.ZAP_PORT;
private static final String ZAP_API_KEY = Global.ZAP_API_KEY;
private static final String ZAP_ADDRESS = Global.ZAP_ADDRESS;
private static final String TARGET = Global.TARGET;
private ActiveScan(){
// never called
}
public static void scan() {
final ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
System.out.println("Active Scanning target : " + TARGET);
private static final int ZAP_PORT = Global.ZAP_PORT;
private static final String ZAP_API_KEY = Global.ZAP_API_KEY;
private static final String ZAP_ADDRESS = Global.ZAP_ADDRESS;
private static final String TARGET = Global.TARGET;
private ActiveScan(){
// never called
}
public static void scan() {
final ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
System.out.println("Active Scanning target : " + TARGET);
final ApiResponse resp = api.ascan.scan(TARGET, "True", "False", null, null, null);
int progress;
// The scan now returns a scan id to support concurrent scanning
final String scanid = ((ApiResponseElement) resp).getValue();
// Poll the status until it completes
while (true) {
Thread.sleep(5000);
progress =
Integer.parseInt(
((ApiResponseElement) api.ascan.status(scanid)).getValue());
System.out.println("Active Scan progress : " + progress + "%");
if (progress >= 100) {
break;
}
}
System.out.println("Active Scan complete");
Report.generateHTMLReport("activeScan", new String(api.core.htmlreport(), StandardCharsets.UTF_8));
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
Simon Bennetts
Oct 7, 2021, 4:17:29 AM10/7/21
to OWASP ZAP User Group
Either exclude that URL from the context or the proxy:
Cheers,
Simon
Arpit
Oct 27, 2021, 10:44:55 AM10/27/21
to OWASP ZAP User Group
I wrote this method :
public void excludeFromContext(final String regex) throws ClientApiException {
this.api.context.excludeFromContext(this.contextName, regex);
}
this.api.context.excludeFromContext(this.contextName, regex);
}
and I'm passing the logout URL string : "https://rondomXYZ/myacc/logout"
into this method, but still the URL gets scanned by the spider scan and the user gets logged out.
How can I fix this?
Reply all
Reply to author
Forward
0 new messages