Scope context not being enforced
5 views
Skip to first unread message
Peter Browning
11:59 AM (4 hours ago) 11:59 AM
to ZAP User Group
Hey all, I'm new to the group but have been using zaproxy for a long time and really like the product. Lately, we've been having issues using automation plans in which sites which are not in context are reported in the HTML report as well as the sitemap output. I've scanned the web and this group, but have not found a solution as of yet-
Inside of my automation plan, I have the following context set up:
env:
contexts:
- name: Default Context
urls:
- "https://${TARGET}"
excludePaths:
- "https://abc.${TARGET}"
- "https://def.${TARGET}"
- "https://ghi-cdn.${TARGET}"
- "https://jkl.${TARGET}"
- "(?!.*\\.${TARGET}).*" # Are negative lookaheads supported?
- ".*thirdpartyprocessor.com"
- ".*thirdpartyprocessor2.com"
- ".*thirdpartyprocessor3.com"
- ".*\\.(png|jpeg|jpg|gif|svg|ico|woff|woff2|ttf|css|js)$" # Don't attack static files
Afterwards, we do the following:
- name: Export Site Tree
type: export
parameters:
context: Default Context
type: yaml
source: sitestree
fileName: reports/${REPORT_NAME}-sitestree.yaml
- name: Prune Site Tree
type: prune
parameters:
fileName: reports/${REPORT_NAME}-sitestree.yaml
And finally,
- name: Generate HTML Report
type: report
parameters:
template: modern
theme: corporate
reportDir: reports
reportFile: ${REPORT_NAME}.html
reportTitle: ZAP Security Scan Report
reportDescription: Security scan results for ${TARGET}
includedRisks:
- High
- Medium
sites:
- ${TARGET}
So, ideally we could have a situation in which this outputs a report only covering our TLD ($TARGET.com), and any subdomains that are not explicitly denied (abc.$TARGET.com), as well as the explicitly denied file types. Instead, we receive the following output (I edited the HTML for privacy)
Has anyone dealt with an issue such as this? How can I more closely define the scope? TIA!
Peter
Peter Browning
12:05 PM (4 hours ago) 12:05 PM
to ZAP User Group
Sorry, just to add a bit more context:
We are using ajaxSpider and activeScan job in the plan, and are experimenting with spiderClient - Setting the scopeCheck parameter to Strict. None of these seem to restrict the scope however. We are on the latest version of ZAP and all extensions as well.
We are using ajaxSpider and activeScan job in the plan, and are experimenting with spiderClient - Setting the scopeCheck parameter to Strict. None of these seem to restrict the scope however. We are on the latest version of ZAP and all extensions as well.
Simon Bennetts
12:43 PM (3 hours ago) 12:43 PM
to ZAP User Group
Hiya,
The modern spiders (AJAX and Client) use browsers, and we've found we have to allow the browsers to retrieve all URLs in order for most apps to work, even if those URLs are out of scope.
To just get alerts for the sites you care about you can just specify the sites in the "report" job, as per https://www.zaproxy.org/docs/desktop/addons/report-generation/automation/
You do not need to use the "prune" job in this case.
The one exception to this is the insights - we've only just added those, and right now we do not have the option to restrict them to the scope.
That is planned.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages