ZAP Spider Question
146 views
Skip to first unread message
Charles Williams
Jun 3, 2022, 2:40:05 PM6/3/22
to OWASP ZAP User Group
Hi ZAP Team,
- parameters:
context: "Script_Context"
user: "User"
url: "http://domain1:8000"
maxDuration: 0
maxDepth: 0
maxChildren: 0
name: "spider"
type: "spider"
- parameters:
context: "Script_Context"
user: "User"
url: "http://domain1:8000"
maxDuration: 5
maxCrawlDepth: 0
numberOfBrowsers: 5
browserId: "htmlunit"
maxCrawlStates: 0
eventWait: 5
reloadWait: 5
clickDefaultElems: false
clickElemsOnce: true
randomInputs: false
name: "spiderAjax"
type: "spiderAjax"
I'm attempting to use OWASP ZAP on an application, and I have a particular set of circumstances that I want to confirm the Spider or the Ajax Spider would be able to cover.
I have a local application running on http://domain1:8000. On this page is a dropdown menu, and on this dropdown menu is a button that opens a new window pointed at http://domain2:8001. This second link cannot be found directly in the HTML response to the first link (no href or anything like that).
Given these circumstances, would either of the spiders be able to pick up on domain2 and run against it? I'm uncertain if the normal spider could find it since it isn't an href in the HTML response to domain1, and given the circumstances of reaching the link to domain2 (a click to dropdown the menu followed immediately by a click to press the button opening the new window) I wasn't confident enough with my understanding of the Ajax Spider to know if that kind of behavior would be possible without some sort of specific configuration.
Could either of the spiders pick up on this separate domain? My initial attempts with the Automation Framework have not found this link (and I've ensured that domain2 is in my includePaths), but I'm not sure if this is a result of my own lacking configuration or if this behavior isn't possible:
- parameters:
context: "Script_Context"
user: "User"
url: "http://domain1:8000"
maxDuration: 0
maxDepth: 0
maxChildren: 0
name: "spider"
type: "spider"
- parameters:
context: "Script_Context"
user: "User"
url: "http://domain1:8000"
maxDuration: 5
maxCrawlDepth: 0
numberOfBrowsers: 5
browserId: "htmlunit"
maxCrawlStates: 0
eventWait: 5
reloadWait: 5
clickDefaultElems: false
clickElemsOnce: true
randomInputs: false
name: "spiderAjax"
type: "spiderAjax"
Is there some way I can find this link via the scan, or will I need to insert it manually into the list of discovered URLs?
Thank you!
Simon Bennetts
Jun 6, 2022, 8:58:42 AM6/6/22
to OWASP ZAP User Group
Hiya,
I've actually been looking into this recently.
Based on my testing the Ajax Spider is often unable to find links like these, where things like pulldown menus are added to the DOM.
I do have a solution ... but its not ready for release yet.
In the meantime you will probably have to manually add these sort of URLs.
Cheers,
Simon
mbkorg
Dec 12, 2023, 10:35:14 AM12/12/23
to ZAP User Group
Hi there,
Did this solution ever get released? I am struggling with a similar problem - my webpage uses heavy JS so the traditional spider cannot retrieve any relevant pages, and the AJAX spider does not navigate to any pages on the toggle navbar but the first.
Many thanks,
Marco.
Simon Bennetts
Dec 12, 2023, 10:38:50 AM12/12/23
to ZAP User Group
Hi Marco.
It did, and is part of the Client add-on: https://www.zaproxy.org/docs/desktop/addons/client-side-integration/ajax-scan/
I'd love to hear if it works any better for you.
We are also looking at other possibilities and would love to hear more about cases the AJAX Spider cannot handle:
- Which frameworks?
- Which UI controls?
- HTML snippets
- Ideally simple test cases, either standalone or an online link
Many thanks,
Simon
Reply all
Reply to author
Forward
0 new messages