Only GET requests

[Nicollas Teixeira]

I would like to understand the curious case of the DAST that only does GET  😂 😂
Just kidding, could someone help me? Its a WebGoat, there's like many SQL Injection lessons/vulns that should be found and there's only GET requests...

[psiinon]

I take it thats the traditional spider you are using?

Check that both "Process Forms" and "POST Forms" are enabled in the Spider Options: https://www.zaproxy.org/docs/desktop/addons/spider/options/#process-forms

They are by default but you might have inadvertantly changed them..

Cheers,

Simon

On Wed, Aug 23, 2023 at 2:56 PM Nicollas Teixeira <nicollas...@gmail.com> wrote:

I would like to understand the curious case of the DAST that only does GET  😂 😂
Just kidding, could someone help me? Its a WebGoat, there's like many SQL Injection lessons/vulns that should be found and there's only GET requests...

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b550789c-bc8a-4120-a650-f6a8119f762en%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

this option is already checked, I've tried to select all possible parameters... where can I find the full scan option? from what i saw, the active scan is the quick scan

[psiinon]

The Quick Scan invokes the traditional and ajax spiders (either or both) and then the active scan.

You can access all of these tools directly via the Tools menu, right click options or their respoctive tabs.

In this case I think the key one is the traditional spider - try running that on its own.

I would expect to see it making some POST requests..

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/1f76849a-5cc5-4b42-aed1-1135d0626aa1n%40googlegroups.com.

--

ZAP Project leader