5

I have installed OWASP ZAP 2.8.0 and scan our site fully. In result we got some SQL injection URL's or pages. So We have fixed that SQL injection issues in development which is mentioned OWASP tool.

  1. How to scan the particular page or URL in OWASP?

    Example:

    We have scan http://www.samples.com fully and in result we got below URL are SQL injection possible. http://www.samples.com/sales

    So In development we have provided some fix for this page alone. If we scan http://www.samples.com/sales again to check. It's scan our full website. It's take more then 2 days to complete. How to scan that particular page or URL in OWASP?

    I have tried this - https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsImporturlsImportUrls but not works.

    Thanks,

karthik anandan
  • 89
  • 3
  • Just go ahead and do it???? Select the leaf node in the Site Tree instead of a parent node. (Or, select the particular History record for the request and launch the scan from there.) – kingthorin Aug 08 '19 at 02:02

1 Answers1

0

The "Select the leaf node in the Site Tree instead of a parent node." way is not working for me - my tests are running scheduled/automated. Whenever I start my ZAP GUI, the site tree will be empty

The best way I figured out was the following:
Define a Context/Use the default Context to point to "http://www.samples.com/sales.*" instead of using "http://www.samples.com"

Now I think, I should be able to just right-click the Context and select "Active Scan", but if I do so, my Scan task won't make any Progress (using ZAP 2.11.1 - Bug?)
Instead, I create an "Full Scan" "Automation Task" on this context. In my case, the spider job will be done in a few seconds, and the scan task in 4-5 minutes (Instead of scanning the entire page for 20H)

The active scan part will still include default URLs like "http://www.samples.com/WEB-iNF/web.xml" though

General Grievance
  • 4,555
  • 31
  • 31
  • 45
DarthVader
  • 192
  • 4
  • 16