1

Was trying to automate zap proxy scan on website. Below is my flow

  1. Start Zap proxy
  2. Create new session (/JSON/core/action/newSession/?apikey=12345&name=NewSession&overwrite=true)
  3. Create new Context (/JSON/context/action/newContext/?apikey=12345&contextName=NewContext)
  4. Add include and exclude regex URL patterns to context ( /JSON/context/action/setContextRegexs/?apikey=12345&contextName=NewContext&incRegexs=[https://myowsapjuiceshop.herokuapp.com/*]&excRegexs=[^(?:(?!http.*://myowsapjuiceshop.herokuapp.com).*).$])
  5. Add technologies to context (/JSON/context/action/includeContextTechnologies/?apikey=12345&contextName=NewContext&technologyNames=Db.MySQL%2CLanguage.Java%2COS.Linux%2CWS.Tomcat)
  6. Run UI tests with proxy set
  7. Run active scan (/JSON/ascan/action/scan/?apikey=12345&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2 ) // 2 is correct contextID
  8. Wait for active scan to complete (/JSON/ascan/view/status/?apikey=12345&scanId=5 ) // 5 is scan ID that I should be getting from step 7 ( run active scan response)
  9. Get Alerts json (/JSON/alert/view/alerts/?apikey=12345&baseurl=&start=&count=&riskId=)

Everything is fine till step 7 and Im stuck at step 7. Based on the documentation "Runs the active scanner against the given URL and/or Context....". I was of the understanding that I can run active scan against a context and URL is optional when ContextId is mentioned.

But, When I hit the api to run active scan with correct apikey and contextId /JSON/ascan/action/scan/?apikey=12345&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2

Response is {"code":"missing_parameter","message":"Missing Parameter"}

Im getting below error in zap logs 

1581054 [ZAP-ProxyThread-65] WARN org.zaproxy.zap.extension.api.API  - Bad request to API endpoint [/JSON/ascan/action/scan/] from [127.0.0.1]:
Missing Parameter (missing_parameter) : url
    at org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:874)
    at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:369)
    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506)
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
    at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
    at java.lang.Thread.run(Thread.java:748)

I want to run active ascan on all the URLs recorded which match include and exclude regex I have set on context. Any help would be greatly appreciated.

Dileep17
  • 299
  • 3
  • 18

1 Answers1

2

Have you defined any URLs in your context? If so, are any of those URLs in the Sites tree?

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • Hi Simon, "you defined any URLs in your context" - I have set incRegexs on context and I can see there are matching URLs that are recorded by proxy. Do I need to specify any other URL on context ? – Dileep17 Apr 21 '20 at 17:23
  • No, that should be it. This is very strange - I've checked the code and that exception should only be thrown if there are no matching urls. Are you testing in daemon mode? If so try testing with the desktop UI visible in case that shows something different. Once your UI tests have run you should see the urls in the Sites tree with the target icon. – Simon Bennetts Apr 23 '20 at 09:01
  • I started zap in non demon mode. Performed few UI action on browser after setting proxy, I'm able to see urls in zap history. I have two contexts, one default context and another one created via api. When I context click, select "export urls from context" option and save urls to a file, file is empty! even for default context! Default context has no incRegex. So should ideally have all urls in history as urls from context! correct ? I guess im missing something silly :( – Dileep17 Apr 23 '20 at 09:59
  • If the incRegex is empty then it will match nothing. By default the default context is empty :) – Simon Bennetts Apr 23 '20 at 10:45
  • Got it. Thank you soo much Simon. It all boiled down to the urls not matching to the incRegex. – Dileep17 Apr 23 '20 at 11:50