Cannot exclude URLs from spider and active scan (ascan)

52 views
Skip to first unread message

Asmir Sinanovic

unread,
Oct 28, 2024, 6:30:07 PMOct 28
to ZAP User Group
Hi,

I'm using the ZAP API to trigger spider and active scan (ascan) processes, but I’m experiencing issues with excluding specific URLs from the report. Since I use organizational SSO, I need to exclude Microsoft-related URLs, such as https://login.microsoftonline.com/*.

Here are the approaches I have tried:
  • Removing URLs globally
  • Removing URLs from the context
  • Removing URLs specifically from spider and ascan
For exclusion, I used the following regex example: https://login.microsoftonline.com/.*

Steps to reproduce:
  1. Start ZAP
  2. Download the ZAP root certificate
  3. Add a global exclusion - http://zap:8080/JSON/core/action/addGlobalExcludeUrl/?regex=${EXCLUDE_URL}
  4. Create a ZAP context - http://zap:8080/JSON/context/action/newContext/?contextName=${CONTEXT}
    1. Include URLs - http://zap:8080/JSON/context/action/includeInContext/?contextName=${CONTEXT}&regex=${INCLUDE_URL}
    2. Exclude URLs - http://zap:8080/JSON/context/action/excludeFromContext/?contextName=${CONTEXT}&regex=${EXCLUDE_URL}
  5. Spider
    1. Exclude URL - http://zap:8080/JSON/spider/action/excludeFromScan/?regex=${EXCLUDE_URL}
    2. Start spider -   http://zap:8080/JSON/spider/action/scan/?contextName=${CONTEXT}
  6. Ascan
    1. Exclude URL - http://zap:8080/JSON/ascan/action/excludeFromScan/?regex=${EXCLUDE_URL}
    2. Start ascan - http://zap:8080/JSON/ascan/action/scan/?inScopeOnly=true&contextId=${CONTEXT_ID}
  7. Generate report - http://zap:8080/JSON/reports/action/generate/?title=ZAP-report&template=traditional-html&contexts=${CONTEXT}&reportFileName=zap-report.html&reportDir=/app/results

I would appreciate any feedback or suggestions on how to resolve this issue.

Thank you!

BR,
Asmir

Simon Bennetts

unread,
Oct 29, 2024, 5:54:08 AMOct 29
to ZAP User Group
Hi Asmir,

You should not need to bother with setting up any exclusions in your case.
Just set up your context to include the sites you want, for example http://www.example.com.*
By default contexts are empty. Anything not included will in effect be excluded.
You only need to exclude URLs that would otherwise be included, e.g. http://www.example.com/logout
ZAP will not attack any URLs outside of the scope you define.
It may still access URLs outside of the scope: https://www.zaproxy.org/faq/why-does-zap-access-out-of-scope-domains/

All you need to do is to specify the contexts or sites you would like to be included in the report: https://www.zaproxy.org/docs/desktop/addons/report-generation/api/#actions
However this appears to be what your are doing :/
Can you supply an example part of the report which includes out of scope alerts?
You can obfuscate the URLs, or send it directly to zaprox...@googlegroups.com

Cheers,

Simon

Asmir Sinanovic

unread,
Nov 4, 2024, 8:40:13 AMNov 4
to ZAP User Group
Hi Simon, 

Thank you for your prompt response. 

After reviewing your feedback and double-checking my context setup, I can confirm it was correct. However, I was a bit confused about the reporting aspect. I didn’t realize that the default report summarizes everything and is not context-specific - http://zap:8080/OTHER/core/other/htmlreport/?apikey=

Additionally, the context-specific report didn't work for me initially: https://www.zaproxy.org/docs/desktop/addons/report-generation/api/#actions. I’m not sure if it was because I didn’t include the 'display=true' query parameter or if there was another simple error.

In any case, it works fine now. Thank you again for your help!

Best regards,
Asmir

Reply all
Reply to author
Forward
0 new messages