1

I have two set ups with ZAP and Selenium, local and on Jenkins.

Locally, I can start ZAP, run a Selenium process with ZAP as a proxy and then start the spider and then put ZAP in attack mode. This will turn up a number of issues.

On Jenkins, I have a build job that will start ZAP as a pre-build step, run the same selenium process through ZAP as a proxy as the build step and then run the spider and active scan as a post-build step. (I follow an approach very similar to this: https://wiki.jenkins.io/display/JENKINS/Execute+ZAP+as+part+of+a+Selenium+Build )

The latter approach turns up far fewer errors than the local approach. Why would this be?

On further inspection, it appears as though ZAP is not scanning every url that selenium accesses through ZAP as a proxy. It is as if it does not remember the urls accessed by Selenium and does not bother to scan them. But why would this happen? Are there any settings in the official ZAP plugin that I am missing which would determine this?

For some additional information, the application I am testing runs in Tomcat. ZAP appears to attack urls that are specific to Tomcat, such as http://[IP_Address]:[Port]/docs/default-servlet.html. Other than those, however, it seems to only attack those urls that were explicitly listed in the context (i.e. http://[IP_Address]:[Port]). At least, it only shows vulnerabilities pertaining to these.

Also, is it possible for me, in Jenkins, to see a full list of all the requests made as part of the active scan, just as I can in my local ZAP?

harrys
  • 109
  • 1
  • 8
  • 1
    You may also want to post on the user group at https://groups.google.com/forum/#!forum/zaproxy-users – NASAhorse Sep 26 '18 at 21:18
  • I'll do that. (https://groups.google.com/forum/#!topic/zaproxy-users/CtRdCC7ORqQ ) If I can get a good answer there, I will present it here. – harrys Sep 27 '18 at 16:08
  • I posted a question there and got an answer back, hopefully you get something back. I've used zaproxy including using it as proxy but not with selenium. Once I get the reports, I do a manual confirmation with relevant individuals in the team for further details. _"The latter approach turns up far fewer errors than the local approach."_ -> And by errors, did you mean the alert results? – NASAhorse Sep 27 '18 at 20:43
  • Yes. I mean alert results. As an aside, all I am using Selenium for is to provide ZAP with the urls to scan. Selenium toys with the application, while using ZAP as a proxy, and (supposedly) ZAP records all the urls (for both pages and RESTful requests) and scans them after Selenium is done. This seems to work locally, but the ZAP Jenkins plugin does not appear to scan more than the root urls that I explicitly put in the context. – harrys Sep 28 '18 at 18:02

0 Answers0