Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ajax Spider with Context and User #105

Open
rucciva opened this issue Oct 28, 2021 · 5 comments
Open

Ajax Spider with Context and User #105

rucciva opened this issue Oct 28, 2021 · 5 comments

Comments

@rucciva
Copy link

rucciva commented Oct 28, 2021

hi, how do you run zap-cli ajax-spider with a context and a user? similar to zap-cli spider -c context -u user

@tony
Copy link

tony commented Nov 4, 2021

Same. This is a very common pattern and there's no working example for ajax spidering for authorization in CLI for zap-cli or zap in general. I can do it in GUI - but that's not useful because apparently they're practically separate applications.

@rucciva
Copy link
Author

rucciva commented Nov 5, 2021

Hi @tony , it seems like this tools is no longer being maintained.

my workaround is to run spider before ajax spider since i guess the session after spidering is persisted.

I'm also guessing that we could also run ajax spider by using quick-scan with custom script scanner
only (if im not wrong the scanner id is 50000) after disabling all the custom active-scan script (thus no active-scan script will run).

@tony
Copy link

tony commented Nov 5, 2021

Thank you for the response @rucciva!

my workaround is to run spider before ajax spider since i guess the session after spidering is persisted.

Can you give me an example of what it looks like in CLI commands?

I'm also guessing that we could also run ajax spider by using quick-scan with custom script scanner
only (if im not wrong the scanner id is 50000) after disabling all the custom active-scan script (thus no active-scan script will run).

An example of this, if such a thing existed would be incredibly valuable!

@rucciva
Copy link
Author

rucciva commented Nov 5, 2021

sure, something like this (assuming you have started the zap daemon before)

zap-cli spider -c "$CONTEXT_NAME" -u "$CONTEXT_USER" "$URL" && zap-cli ajax-spider "$URL"

or with quick-scan

zap-cli quick-scan --ajax-spider  -c "$CONTEXT_NAME" -u "$CONTEXT_USER" --scanners "50000" "$URL"

@tony
Copy link

tony commented Nov 5, 2021

Thank you! I will give this a try in the AM tomorrow (Texas time)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants