Open rucciva opened 3 years ago
tony
commented
3 years ago Same. This is a very common pattern and there's no working example for ajax spidering for authorization in CLI for zap-cli or zap in general. I can do it in GUI - but that's not useful because apparently they're practically separate applications.
rucciva
commented
3 years ago Hi @tony , it seems like this tools is no longer being maintained.
my workaround is to run spider before ajax spider since i guess the session after spidering is persisted.
I'm also guessing that we could also run ajax spider by using quick-scan with custom script scanner only (if im not wrong the scanner id is 50000) after disabling all the custom active-scan script (thus no active-scan script will run).
tony
commented
3 years ago Thank you for the response @rucciva!
my workaround is to run spider before ajax spider since i guess the session after spidering is persisted.
Can you give me an example of what it looks like in CLI commands?
I'm also guessing that we could also run ajax spider by using quick-scan with custom script scanner only (if im not wrong the scanner id is 50000) after disabling all the custom active-scan script (thus no active-scan script will run).
An example of this, if such a thing existed would be incredibly valuable!
rucciva
commented
3 years ago sure, something like this (assuming you have started the zap daemon before)
zap-cli spider -c "$CONTEXT_NAME" -u "$CONTEXT_USER" "$URL" && zap-cli ajax-spider "$URL"or with quick-scan
zap-cli quick-scan --ajax-spider -c "$CONTEXT_NAME" -u "$CONTEXT_USER" --scanners "50000" "$URL"Thank you! I will give this a try in the AM tomorrow (Texas time)
hi, how do you run
zap-cli ajax-spiderwith a context and a user? similar tozap-cli spider -c context -u user