Setup elements to click during Ajax-Spider crawling throw API
175 views
Skip to first unread message
Mike
Oct 3, 2023, 4:57:50 AM10/3/23
to ZAP User Group
Hi team,
I'm trying to configure Ajax-Spider so that it doesn't interact with some elements. I can do this through the desktop application by disabling the "Click default elements only" option and further selecting the elements that interest me.
Is it possible to make this configuration through the API?
Is it possible to exclude interaction with whole element when setting up the context?
I'm trying to configure Ajax-Spider so that it doesn't interact with some elements. I can do this through the desktop application by disabling the "Click default elements only" option and further selecting the elements that interest me.
Is it possible to make this configuration through the API?
Is it possible to exclude interaction with whole element when setting up the context?
I want to find as many vulnerabilities as possible on https://bwapp.hakhub.net/ by ZAP.
To do this, I need to crawl all urls with vulnerabilities. I have an idea to solve this problem:
0) Run ZAP with auth cookies.
1) Exclude https://bwapp.hakhub.net/logout.php in order not to reset cookies.
2) Disable Ajax-Spider options - Click Elements Once and Click default elements only(and select only tags: option and button)
Then Ajax-Spider crawling vulnerable urls are fast enough. But i could not find this option in API.
To do this, I need to crawl all urls with vulnerabilities. I have an idea to solve this problem:
0) Run ZAP with auth cookies.
1) Exclude https://bwapp.hakhub.net/logout.php in order not to reset cookies.
2) Disable Ajax-Spider options - Click Elements Once and Click default elements only(and select only tags: option and button)
Then Ajax-Spider crawling vulnerable urls are fast enough. But i could not find this option in API.
Is it possible to configure interaction with Ajax-Spider elements via the API?
Thanks in advance for your help!
Simon Bennetts
Oct 3, 2023, 6:56:30 AM10/3/23
to ZAP User Group
Hiya Mike,
We test ZAP every day against various vulnerable apps: https://www.zaproxy.org/docs/scans/
But Bwapp isnt one of them :O
Would you like to help us scan it every day? :D
Re your questions:
Did you miss these API endpoints?
setOptionClickDefaultElems (Boolean* ) Sets whether or not the the AJAX Spider will only click on the default HTML elements.
setOptionClickElemsOnce (Boolean* ) When enabled, the crawler attempts to interact with each element (e.g., by clicking) only once.
We cannot currently configure the AJAX Spider to ignore specific elements.
This is partly due to the fact that we are using a third party project: Crawljax. But this is something that we are looking at.
Cheers,
Simon
Simon Bennetts
Oct 3, 2023, 7:17:41 AM10/3/23
to ZAP User Group
Sorry, my bad - I've been reminded that we DO now support excluding specific UI elements :D
thats via the API:
addExcludedElement (contextName* description* element* xpath text attributeName attributeValue enabled ) Adds an excluded element to a context.
Cheers,
Simon
Message has been deleted
Mike
Oct 3, 2023, 8:30:04 AM10/3/23
to ZAP User Group
Simon, thank you very much for your reply!
>Would you like to help us scan it every day? :D
Of course I want! :D I will publish in this discussion my interim results and an analysis of the work done on testing this vulnerable resource with ZAP settings.
>Did you miss these API endpoints?
No, I did not. It`s work perfect!
By the way, I'm doing a similar test - https://groups.google.com/g/zaproxy-users/c/fWiGTJDhMJ4
> addExcludedElement (contextName* description* element* xpath text attributeName attributeValue enabled ) Adds an excluded element to a context.
Yes, I tried this setting for context. But it doesn't work for me or I don't understand something.
Is "zap_UI_exclude_element.png" and "zap_api_exculde_element_from_context.png" have the same effect for ZAP?
As I see in case of "zap_UI_exclude_element.png" Ajax-Spider don`t click on links and work more efficient to crawl vulnerable urls. But in case of "zap_api_exculde_element_from_context.png" he is clicking on links.
Which value i should use for (xpath, text, attributeName, attributeValue) to take same affect like in "zap_UI_exclude_element.png"?
I use ZAP in docker and want to configure it via the API so this is important for me!
Thank you very much for your time!
>Would you like to help us scan it every day? :D
>Did you miss these API endpoints?
By the way, I'm doing a similar test - https://groups.google.com/g/zaproxy-users/c/fWiGTJDhMJ4
> addExcludedElement (contextName* description* element* xpath text attributeName attributeValue enabled ) Adds an excluded element to a context.
Is "zap_UI_exclude_element.png" and "zap_api_exculde_element_from_context.png" have the same effect for ZAP?
As I see in case of "zap_UI_exclude_element.png" Ajax-Spider don`t click on links and work more efficient to crawl vulnerable urls. But in case of "zap_api_exculde_element_from_context.png" he is clicking on links.
Which value i should use for (xpath, text, attributeName, attributeValue) to take same affect like in "zap_UI_exclude_element.png"?
I use ZAP in docker and want to configure it via the API so this is important for me!
Thank you very much for your time!
Mike
Oct 3, 2023, 8:56:30 AM10/3/23
to ZAP User Group
Yes, I want to understand how to setup this param from AF :
But via API.
elements: # A list of HTML elements to click - will be ignored unless clickDefaultElems is false
- "a"
- "button"
- "input"
- "a"
- "button"
- "input"
But via API.
Message has been deleted
Message has been deleted
Mike
Oct 6, 2023, 10:35:43 AM10/6/23
to ZAP User Group
Or if it can't be done through the API, could you suggest ZAP code examples that will help implement this for ZAP? :D
On Tuesday, 3 October 2023 at 14:17:41 UTC+3, psi...@gmail.com:
Simon Bennetts
Oct 9, 2023, 6:33:40 AM10/9/23
to ZAP User Group
Right now it is not possible to set the elements via the API.
However you will be able to do it via the command line: https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Cheers,
Simon
Mike
Oct 11, 2023, 5:45:55 AM10/11/23
to ZAP User Group
Yes! This solved my problem! Thank you very much!
On Monday, 9 October 2023 at 13:33:40 UTC+3, psi...@gmail.com:
Reply all
Reply to author
Forward
0 new messages