ZAP Spider Clarification Due To Multiple Results on Same App/URL

47 views
Skip to first unread message

Roland S.

unread,
Oct 23, 2024, 6:41:03 AMOct 23
to ZAP User Group
Hey everyone,

I'm currently exploring the Automation Framework and during my testing, I'm receiving multiple results from ZAP Spider, which leads to my confusion and I want to clarify how ZAP Spider works. I have a self-hosted DVWA running on Docker which is the target of these tests.

I am using ZAP 2.15.0 with default add-ons up to date.

Scenario 1
This is the first time opening ZAP. I click on the Firefox icon to open the ZAP browser and manually explore the the app by visiting all URLs and clicking on menu items. Afterwards, I created an Automation Framework Plan and ran it, which resulted in 85 URLs crawled and 15 alerts.
Screenshot 2024-10-23 at 17.17.34.pngScreenshot 2024-10-23 at 17.58.45.png

Scenario 2
After running Scenario 1, we create a new session with the same Automation Framework Plan and run it. This time, ZAP Spider only crawled 5 URLs and only found 9 alerts.
Screenshot 2024-10-23 at 17.17.48.pngScreenshot 2024-10-23 at 17.55.21.png

Scenario 3
At this point, I'm not sure what's happening, so I decided to use Docker ZAP to run a scan using the same Automation Framework Plan as previous scenarios. This time, ZAP Spider crawled 14,589 URLs and found 20 alerts.
Screenshot 2024-10-23 at 18.23.59.pngScreenshot 2024-10-23 at 18.26.50.png
Note: The "http://172.22.0.3" is just DVWA's internal Docker IP and I have to change my configuration to that when running ZAP Docker.

Please see attachment for my ZAP Context and Automation Framework Plan.

Looking forward to your response. Thanks!
DAST-Spider-Test.yaml
DAST-Spider-Test.context

Simon Bennetts

unread,
Oct 24, 2024, 11:58:24 AMOct 24
to ZAP User Group
That includes. link to an Automation Framework plan that was working when the article was written :)
Let us know how you get on with it!

Cheers,

Simon

Roland S.

unread,
Oct 25, 2024, 12:51:46 AMOct 25
to ZAP User Group
Hi Simon,

Thanks for looking into this and all your work for ZAP. I read through the page you've linked and I tested the Automation Framework Plan included in the article, then copied over the differences to my own AF plan. Both plans are now returning 245-250 URLs crawled. However, this still doesn't explain why the ZAP GUI is only finding 5 URLs on both AF plans, despite having an "Authentication successful" log in the Output tab. Maybe there's some issues with the GUI version of the tool? How could I generate logs for you to inspect it?

One thing I figured out, is the reason why ZAP was showing 14k URLs. It is caused by setting the "security" Cookie value to "impossible". This might be because of how DVWA changes its configuration and behavior when security is set to the highest level. But during this, ZAP only seems to be making requests to "POST /vulnerabilities/xss_s/index.php HTTP/1.1".

Also to clarify, for the Session Management method "Cookie", does it not automatically detect "PHPSESSID" and we have to set it manually?

Simon Bennetts

unread,
Oct 25, 2024, 7:23:00 AMOct 25
to ZAP User Group
I've just tried it locally and it seems to be working fine for me.
It might be worth resetting your ZAP configs and trying again?

Cheers,

Simon

Roland S.

unread,
Oct 27, 2024, 10:43:33 PMOct 27
to ZAP User Group
Hi Simon,

Hope you had a great weekend. Resetting my ZAP to factory defaults did the trick. Thank you.

Simon Bennetts

unread,
Oct 28, 2024, 8:18:49 AMOct 28
to ZAP User Group
Thanks for letting us know!
Reply all
Reply to author
Forward
0 new messages