ZAP behaviour when running scans on Wordpress sites
491 views
Skip to first unread message
Ruchira Sahan
Oct 21, 2021, 2:32:36 AM10/21/21
to OWASP ZAP User Group
Hi, I'm trying to run scans against a web site built using wordpress. It has facebook like buttons and other social links on it. Why does Zap keep trying to hit URL's like ones shown below. This scan has been going for over 24 hours and at 87% complete as of now. But for some reason Zap is trying to scan random links from mostly facebook for over 10 hours.
Here's an sample url - https://www.facebook.com/ajax/bz?__a=1&__ccg=EXCELLENT&__comet_req=0&__csr=&__dyn=7xe6Fo4OQ1PyUbFuC1swgE98nwgU6C7UW3q327E2vwXx60kO4o3Bw5VCwjE3awbG782Cw8G1Qw5MKdwnU1oU884y0lW0SU2swdq0Ho2ewnE0yK3qaw4kw&__hs=18921.BP%3ADEFAULT.2.0.0.0.&__hsi=7021378009379734597-0&__req=1c&__rev=1004591960&__s=%3A9qmgd8%3Adfnhwi&__spin_b=trunk&__spin_r=1004591960&__spin_t=1634791961&__user=0&dpr=1&jazoest=2958&lsd=AVoxUXh0_-o
Help would be appriciated :-)
Thanks
Here's an sample url - https://www.facebook.com/ajax/bz?__a=1&__ccg=EXCELLENT&__comet_req=0&__csr=&__dyn=7xe6Fo4OQ1PyUbFuC1swgE98nwgU6C7UW3q327E2vwXx60kO4o3Bw5VCwjE3awbG782Cw8G1Qw5MKdwnU1oU884y0lW0SU2swdq0Ho2ewnE0yK3qaw4kw&__hs=18921.BP%3ADEFAULT.2.0.0.0.&__hsi=7021378009379734597-0&__req=1c&__rev=1004591960&__s=%3A9qmgd8%3Adfnhwi&__spin_b=trunk&__spin_r=1004591960&__spin_t=1634791961&__user=0&dpr=1&jazoest=2958&lsd=AVoxUXh0_-o
Help would be appriciated :-)
Thanks
Simon Bennetts
Oct 21, 2021, 4:06:48 AM10/21/21
to OWASP ZAP User Group
Difficult to say for certain but I can hazzard a guess.
This is probably the DOM XSS scanner - that opens browsers to perform its attacks. The browsers will then load the relevant web pages and as a result make the requests to the URLs included in the page, including requests to Facebook.
To double check this open the Scan Progress dialog and see which scan rule is running - I'm expecting it to be the DOM XSS one.
Cheers,
Simon
Ruchira Sahan
Oct 21, 2021, 5:55:50 AM10/21/21
to OWASP ZAP User Group
You are spot on. I had to skip that one for the scan to finish. Thank you for the help. Any idea why it is sending so many requests to Facebook?
Simon Bennetts
Oct 21, 2021, 6:06:22 AM10/21/21
to OWASP ZAP User Group
Strictly speaking this rule is not making _any_ requests to Facebook.
It is launching browsers that open URLs on the target app.
The browser is making the requests to Facebook - so the question hould bes "why is the target app including so many Facebook assets?" :)
Cheers,
Simon
Ruchira Sahan
Oct 24, 2021, 10:43:14 PM10/24/21
to OWASP ZAP User Group
Thank you so much for your help Simon :-) Just one more thing, Can we use the API to skip DOM XSS scanner just like ZAP desktop? Or can we add a timeout just for DOM XSS when using ZAP CLI? I don't want to stop the scan when this happens, I just want to skip parts just like ZAP desktop when this happens.
Which API call to use in this situation to skip items. Reading documentation and other threads here, it looks like we can use setOptionMaxRuleDurationInMins or this one https://www.zaproxy.org/docs/api/#ascanviewstatus
Thanks
Which API call to use in this situation to skip items. Reading documentation and other threads here, it looks like we can use setOptionMaxRuleDurationInMins or this one https://www.zaproxy.org/docs/api/#ascanviewstatus
Thanks
Simon Bennetts
Oct 25, 2021, 4:52:31 AM10/25/21
to OWASP ZAP User Group
The recommended approach is to create a scan policy which turns that rule off. You can create that in the ZAP desktop, export it and then just copy that file into the relevant directory when you automate ZAP and specify the profile when you start the scan.
Cheers,
Simon
Ruchira Sahan
Oct 25, 2021, 11:08:40 PM10/25/21
to OWASP ZAP User Group
Thanks Simon. Instead of just turning it off, is there a way to set a timeout?
Reply all
Reply to author
Forward
0 new messages