How to stop some third-party requests

[Mewzer]

Hello there,

I asked a similar question quite a while ago but I still haven't come up with a solution ...

One of the websites I am penetration testing makes requests to sentry.io.

When I run an OWASP Zap scan, many requests are made to sentry,io and then I start seeing a 429 (Too Many Requests) response. 

I would like to configure OWASP ZAP to not make any requests at all to sentry.io as stopping them should not affect the website I am testing.

In the GUI, I have tried:

- Defining a Global exclude URL:

^https?://.*\.sentry\.io.*$

- Also adding this URL to the "Exclude from Scanner" and "Exclude from Spider" and "Exclude from Proxy" session properties.

However I am still seeing 429's.

Is there anything else I can do?

Many thanks!

[thc...@gmail.com]

Hi.

What's sending the requests?

Best regards.

[Chloe Fotherby]

Hi there,

The website I am testing makes a request to sentry.io on each page.

So suppose my website is www.example.com

Any pages that are part of www.example.com call sentry.io

So, I am assuming that when OWASP Zap scans a page eg. www.example.com/something.html a request will also be made to sentry.io

And as OWASP ZAP makes many different requests to test www.example.com, many requests will also be made to sentry.io (even though OWASP ZAP is not actually attacking sentry.io)

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/w8F5P3CqEvM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4b92bf58-3f55-5a9a-dbd3-10fdbe157094%40gmail.com.

[kingthorin+owaspzap]

Reach out to sentry.io and find out why you're hitting the condition?

Set ZAP spider/active scan single threaded and throttle the requests?

Where are you seeing the 429s (in zap or separate)?

[Simon Bennetts]

If the requests to sentry.io are being proxied through ZAP then you can automatically drop them using a script.

We have a couple of examples that you could use for inspiration:

• Drop requests by response code.js
• Drop requests not in scope.js

but I'd recommend converting them into an httpsender script so that they apply to all of the requests generated by ZAP.

Cheers,

Simon

[Chloe Fotherby]

Thank you so much for all of your help. I will try all of these suggestions.

Kind regards.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/46bf2022-2485-42be-b07f-99e05b45da39n%40googlegroups.com.

[Mewzer]

Hi there,

The HTTPSender script works well from the GUI - thank you very much!!. Is there a way of using it via a Docker Packaged Scan for automation? Would I use one of the scan hooks?

I've debugged my initial problem further ... I think only the Cross Site Scripting (DOM based) rule is ignoring the Global Exclude URLs that I have defined, the other rules seem OK - could this be a bug?

Kind regards.

[Simon Bennetts]

You _can_ add scripts to the packaged scans, but it is a bit harder than it should be. It will be easier in the Automation Framework ;)

You will need to make sure they are in the docker image (copy them in or use a mapped drive) and then add them from the command line as per https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/

The DOM XSS rule works by launching browsers. It will not attack URLs that are out of scope but it will load JS and CSS files from out of scope URLs - otherwise the target app is unlikely to work.

So its not attacking those URLs and is acting as designed.

Cheers,

Simon

[Chloe Fotherby]

I was expecting ZAP to not make any requests to anything in the "Global Exclude URLs" list at all (even benign ones) - I must have misunderstood it's purpose!.

Thanks so much for the information and clarification :-).

Cheers.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/599ea51e-56da-408a-9747-696ea1d9dec6n%40googlegroups.com.