Unable to exclude a URL from the context

[bisera.m...@telenordigital.com]

After updating ZAP to version 2.4.1, the authentication setup which worked for ZAP 2.4.0 doesn't work again. Despite excluding the logout action from the context, ZAP seems to ignore the following line and logs out anyway.

zap.context.exclude_from_context('ConnectID', '^(.*?(action=logout)[^$]*)$')

Are there any changes in 2.4.1 that might have affected this? Does anyone have any ideas on how to solve this in a different way maybe?

[thc...@gmail.com]

Hi.

Hard to tell without having more details on what ZAP is doing and how is
configured.

Is that happening with spider? Active scanner? How are you starting the
scans?

Is ZAPauthentication.py (attached to dev post) still similar to what you
have now?

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Bisera Milosheska]

Hi,

Yes, it is pretty much the same. I have only made some slight changes in the way I start ZAP, as we intend to run it from Jenkins. 

However, the authentication fails even when I run the GUI on my local machine. The problem is that ZAP authenticates successfully once and gets a response for the first page, but then logs out apparently and gets 303 status for all other requests. I shared my solution in the dev post for the last time I had this problem. I solved it with excluding the logout action from the context and I am guessing that this is ignored by ZAP now, as the current problem resembles the one I descried in the dev post last time. 

Here is my script.

Thank you for your help.

Kind regards,

Bisera

> <mailto:zaproxy-users+unsub...@googlegroups.com>.

[thc...@gmail.com]

OK. When spidering with the API you need to exclude the URL with
something like:
zap.spider.exclude_from_scan('.*action=logout.*')

because the context is not being spidered.
The spider API should support spidering a context (or all URLs "in
scope"), which would enforce the exclusions defined in the context.

When running with GUI you need to spider the context as "starting point"
(as opposed to an URL in the context) because of an issue.
Although this issue was already present in 2.4.0 so not sure why the
differences in behaviour that you are seeing.

Best regards.

> > <mailto:zaproxy-user...@googlegroups.com>.

> > For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

> <mailto:zaproxy-user...@googlegroups.com>.

[Bisera Milosheska]

Hi,

Yes, that helped. Thank you! I am not sure either, but excluding the URL from the context worked just fine and the spider discovered even more URLs than now.

I have one more question regarding the spidering though. Do you have an idea maybe, why I need to crawl twice in order to discover more URLs?

Kind regards,

Bisera

>      > <mailto:zaproxy-users+unsub...@googlegroups.com>.

>      > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

> <mailto:zaproxy-users+unsub...@googlegroups.com>.

[thc...@gmail.com]

Hi.

Great!
OK, something that should be looked into then.


If spidering has not side effects (for example, create new pages) that's
caused, most likely, by lower maximum depth value.
The depth is calculated from the seed(s) not the root of the target so
spidering again effectively increases the depth that the spider is
allowed to get.

Try with max depth of, say, 50 instead of 5.

Best regards.

> > > <mailto:zaproxy-user...@googlegroups.com>.

> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to zaproxy-user...@googlegroups.com

> > <mailto:zaproxy-user...@googlegroups.com>.

> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

> <mailto:zaproxy-user...@googlegroups.com>.

[c.dematt...@xsite.de]

Hi,
I'm having the same problem, but i'm working with jenkins plugin.. I use "URL to exclude from contex" field, and i see in the logs:  "

URL exluded from context : https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js"
But i am still getting alerts for this URL.. 
Do you have an idea how can i get it work?
Thanks a lot i advance,
Cynthia

>      > <mailto:zaproxy-users+unsub...@googlegroups.com>.

>      > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

> <mailto:zaproxy-users+unsub...@googlegroups.com>.