404 status code in sitemap

[Mike]

Hello ZAP team!
Is there a way to exclude path analysis in a sitemap with status 404?
Sometimes, while using ZAP during crawling due to spider, requests with a 404 response status get into the sitemap. And when running active and passive scans on this sitemap, it unnecessarily increases the testing time. I managed to find a filter that excludes 404 when setting up active scanning. But is there a mechanism for not adding such paths to the sitemap, maybe it could be related to context, but I couldn't find anything. Are there mechanisms to solve this issue?

Thank you!

[Mike]

Found community-script: https://github.com/zaproxy/community-scripts/blob/a941beb79d9576c684bb1724b146b3c81b7d5fd7/proxy/Drop%20requests%20by%20response%20code.js#L6

[Simon Bennetts]

Yes, thats the best option for now.

Cheers,

Simon

On Wednesday 17 April 2024 at 09:57:57 UTC+1 Mike wrote:

Found community-script: https://github.com/zaproxy/community-scripts/blob/a941beb79d9576c684bb1724b146b3c81b7d5fd7/proxy/Drop%20requests%20by%20response%20code.js#L6

[Mike]

Thank you very much for the reply!
But this only works for proxy scenarios, for example, if such urls appear as a result of spider, this script does not help :c

[thc...@gmail.com]

At the moment it's not possible to filter them, but that's in the plans.

Best regards.

[Mike]

Do I need to open an issue? could you provide me with basic information on this issue, I can participate in the development.

[Simon Bennetts]

We already have https://github.com/zaproxy/zaproxy/issues/1174 which is kind of similar.

However maintaining 2 site trees will be non trivial and will take up more memory.

A better option might be to just filter requests out as they happen, so with no option to toggle between them.

We already do this for URLs via Network / Global Exclusions and for images via the Display options.

We would need to agree how it would work and what options we support.

Thoughts anyone?

Simon