authenticated urls

110 views
Skip to first unread message

Nicollas Teixeira

unread,
Aug 15, 2023, 3:48:13 PM8/15/23
to ZAP User Group
im trying to automate scan using docker but now im trying to run it first on gui. I wasn't understanding why it only found the target url and didn't attack the later urls, I just realized that in the spider it is considered out of context, how can I fix this? I already tried to put in the option "include in context" but still getting only results to the main url and not the branch of all sub pages.

psiinon

unread,
Aug 16, 2023, 3:46:17 AM8/16/23
to zaprox...@googlegroups.com
Hiya,

Can you explain a bit more please?
You title is "authenticated urls" while you also mention the URLs being out of context.

What exactly are you doing, what happens and why do you think thats a problem?

Many thanks,

Simon

On Tue, Aug 15, 2023 at 9:48 PM Nicollas Teixeira <nicollas...@gmail.com> wrote:
im trying to automate scan using docker but now im trying to run it first on gui. I wasn't understanding why it only found the target url and didn't attack the later urls, I just realized that in the spider it is considered out of context, how can I fix this? I already tried to put in the option "include in context" but still getting only results to the main url and not the branch of all sub pages.

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/09850d97-42f1-4c24-ac29-480923289c67n%40googlegroups.com.


--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 16, 2023, 8:09:34 AM8/16/23
to ZAP User Group
Im trying to scan my url and i have the authentication tester context included with my post login url (like authenticated urls), when i run spider it says "out of context" in my authenticated urls... im using the target url but i want to scan the subpages also post auth

psiinon

unread,
Aug 16, 2023, 8:21:57 AM8/16/23
to zaprox...@googlegroups.com
Ah ok.
Add them to the context then :)

However sub pages should be in scope by default.
If you could give us some examples that would help - replacing sensitive information, so like https://www.example.com/login

Cheers,

Simon



--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 16, 2023, 8:55:06 AM8/16/23
to ZAP User Group
Sure! Im adding in the context all the subpages which i would like to scan in addition to my target main url, like:

in authentication tester im using example.com/login and using my username and password, by default, it is creating a new context and it is spidering the post login pages, but i cant run an active scan with the post login pages, it runs only in the main target url, even if im adding in the context like example.com/postlogin and example.com/postlogin2

Now, im basically trying to make it work with GUI because i intend to do the same using docker, i want to automate my scans and if i can do it by GUI, i would export the context and replace with environment variables to automate similar works with the same context structure.

psiinon

unread,
Aug 16, 2023, 8:57:48 AM8/16/23
to zaprox...@googlegroups.com
How are you running the active scan?
What parameters are you providing?

You will need to choose the relevant context and specify the user you want to use.

Cheers,

Simon



--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 16, 2023, 9:20:59 AM8/16/23
to ZAP User Group
That's exactly how im executing... there's no secret, im just running an active scan... Right-button in the context and selecting active scan and my user 

Nicollas Teixeira

unread,
Aug 16, 2023, 9:23:58 AM8/16/23
to ZAP User Group
and... is there any way to use something like authentication tester on docker? or something similar

Nicollas Teixeira

unread,
Aug 16, 2023, 9:30:49 AM8/16/23
to ZAP User Group

and I don't know if it's normal but there are only requests in the GET method, the only POST request is the login request

Nicollas Teixeira

unread,
Aug 17, 2023, 11:15:46 AM8/17/23
to ZAP User Group
hey, any news about?

Simon Bennetts

unread,
Aug 17, 2023, 11:49:11 AM8/17/23
to ZAP User Group
Run an active scan as you are doing right now, but deselect 'Recurse" - we want to limit what ZAP is doing.
Look in the Output tab - anything in there?
Look at the first requests ZAP sends - does it look like its sending the right session tokens?
Reply all
Reply to author
Forward
0 new messages