is active scan with default policy covers all these injections, server security shown under advanced

513 views
Skip to first unread message

lakshmi

unread,
Apr 26, 2017, 7:52:53 AM4/26/17
to OWASP ZAP User Group
I am using python script to open zap non gui mode, access url, spider, active scan and get results. When checked the default policy advanced options can see different injections included and other options. Is that mean active scan with default policy will cover all these injections, server security.

Thanks for the help.

kingthorin+owaspzap

unread,
Apr 26, 2017, 9:38:29 AM4/26/17
to OWASP ZAP User Group
If you haven't made any modifications to the Default Policy and run an active scan it will use all the active scan rules available to ZAP at Medium Strength and Medium Threshold.

lakshmi

unread,
Apr 26, 2017, 1:40:59 PM4/26/17
to OWASP ZAP User Group
Thanks for the update. I can see different types of 'Injection' under Policy tab of advanced options-active scan has Threshold to 'Default'. Please suggest how to include these by changing to Medium in my python script. 

It will be really helpful if I can get how to include using python script adding different injections with Medium.

lakshmi

unread,
Apr 26, 2017, 2:11:04 PM4/26/17
to OWASP ZAP User Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Thanks for the update. I can see different types of 'Injection' under Policy tab of advanced options-active scan has Threshold to 'Default'. Please suggest how to include these by changing to Medium in my python script. 

It will be really helpful if I can get how to include using python script adding different injections with Medium.

When i run active scan of my target from ZAP UI without making Threshold and Strength to Medium, then also able to see status as running/showing % of progress (by looking at the API.
1. Got the scan id from the API after starting the scan from UI without changing values from Default to Medium under Policy

2. Scan id was 1> looked at the progress of scan by using scan id
Here i can see:

"scanProgress": ["https://xxxxxxx.com", {
"HostProcess": [{
"Plugin": ["Path Traversal", "6", "release", "18%", "25013", "79"]
}, {
"Plugin": ["Remote File Inclusion", "7", "release", "Pending", "0", "0"]


On Wednesday, April 26, 2017 at 7:08:29 PM UTC+5:30, kingthorin+owaspzap wrote:

kingthorin+owaspzap

unread,
Apr 26, 2017, 2:11:12 PM4/26/17
to OWASP ZAP User Group
Sorry I guess I should have been more specific.

By default the Strength and Threshold are set to Medium, and that default is applied to all scan rules.

lakshmi

unread,
Apr 26, 2017, 2:29:01 PM4/26/17
to OWASP ZAP User Group
Thanks a lot, you made my life easy. I am extremely sorry not understanding your inputs correctly. Just need one confirmation:
my script contains:
zap.spider.scan(target)
print('Spider completed')
print ('ajax-spider Scanning target %s' % target)
zap.ajaxSpider.scan(target)
zap.ascan.scan(target, recurse=True, inscopeonly=True)

and other commands till to get reports which i am able to succesfully generate.

1. With above ascan.scan, is it considered the default policy as i have not mentioned about using default policy in my script. Please confirm.
2. By using below api calls in my script, should i be able to get scan id and progress of scanning. 

print (zap.ascan.scans())
scanid = zap.ascan.scans()
zap.ascan.scanProgress(scanid)

Please paradon me, i am new to scripting if using wrong syntax and all.
Reply all
Reply to author
Forward
0 new messages