search

iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
561 stars 178 forks source link

OWASP ZAP Scanning out of scope hosts #87

Closed mayur9991 closed 6 years ago

mayur9991 commented 6 years ago

Hello,

I am trying to learn BDD Security and want to run it against webgoat application.

While doing so, I noticed that it is scanning out of scope hosts as well.

308476 [Thread-7140] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 1 node(s) from https://github.com
308476 [Thread-7140] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host https://github.com in 0s
308476 [Thread-7139] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 0.002s
308977 [ZAP-AttackMode] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
308978 [Thread-7142] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 1 node(s) from http://creativecommons.org
308979 [Thread-7142] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host http://creativecommons.org in 0.001s
308979 [Thread-7141] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 0.002s
308979 [ZAP-AttackMode] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
308980 [Thread-7144] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 1 node(s) from https://github.com
308980 [Thread-7144] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host https://github.com in 0s
308980 [Thread-7143] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 0.001s
308981 [ZAP-AttackMode] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
308982 [Thread-7146] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 1 node(s) from http://www.w3.org
308982 [Thread-7146] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host http://www.w3.org in 0s
308982 [Thread-7145] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 0.001s
308982 [ZAP-AttackMode] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
308984 [Thread-7148] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 1 node(s) from http://www.w3.org
308984 [Thread-7148] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host http://www.w3.org in 0s
308984 [Thread-7147] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 0.002s
308984 [ZAP-AttackMode] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
308985 [Thread-7150] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 1 node(s) from https://v4-alpha.getbootstrap.com
308985 [Thread-7150] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host https://v4-alpha.getbootstrap.com in 0s
308985 [Thread-7149] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 0.001s
308986 [ZAP-AttackMode] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
308987 [Thread-7152] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 1 node(s) from https://v4-alpha.getbootstrap.com
308988 [Thread-7152] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host https://v4-alpha.getbootstrap.com in 0.001s
308988 [Thread-7151] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 0.002s

Is this an expected behaviour or a bug ?

stephendv1 commented 6 years ago

Check the code behind the step "And the application is spidered" in the app_scan.feature, and make sure that it is spidering the right content.