Unable to exclude URLs from reports.

39 views
Skip to first unread message

Hector Luna

unread,
Dec 2, 2022, 10:13:31 AM12/2/22
to OWASP ZAP User Group
I have an automation plan that defines a bunch of URLs that we scan, we also include a bunch of URLs that we want to include and some that we want to exclude. This used to work before and now we are finding that we are getting some of these URLs we do not want in the reports.

Is there a way to prevent this? Has something changed that we should know?

Here is a sample of the automation plan we are using:
env:
contexts:
- name: "Automation Plan"
urls:
includePaths:
excludePaths:
authentication:
parameters: {}
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
pollUrl: ""
pollPostData: ""
sessionManagement:
method: "cookie"
parameters: {}
parameters:
failOnError: false
failOnWarning: false
progressToStdout: true
vars: {}
... etc. 


We want to make sure we do not include anything from these URLs.
- "https://fonts.googleapis.com.*"

They do trigger warnings and that is precisely why we want to exclude them. This used to work before and now it is not. They keep getting included in the Modern, and Risk-Confidence reports.

Are we doing anything wrong? Is there something else I should do to prevent these things from getting included in the reports?

The Risk-Confidence report always produces this text:

The following sites were included:

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

This is adding a lot of chatter to our reports. 
We are using the weekly release, and we are enabling all the passible rules to a medium level.

Thanks!

Reply all
Reply to author
Forward
0 new messages