Hello, I am trying to test the ZAP Scanner Task in azure pipelines on WebGoat_Legacy6.0.
The Problem: the azure pipeline extension seems to append the port number to the end of the url, even when a path is provided to that url (example: http://localhost/WebGoat:8080)
To do this, I would like to have zap scan http://localhost:8080/WebGoat and any other paths associated with WebGoat.
I have tried the following:
1) using an UNtargeted scan
2) using a targeted scan with http://localhost for url and 8080 for port
3) using a targeted scan with http://localhost/WebGoat for url and 8080 for port
4) using a targeted scan with http://localhost:8080 for url and blank port
5) using a targeted scan with http://localhost:8080/WebGoat for url and blank port
6) I also tried to use a context file and I did see the other issue post about how to (theoretically) make it work by changing the parameter name in the yaml... however, I couldn't tell by looking at the logs whether or not the context file was actually being used. Additionally, even if it was being used, I'm not sure I set it up properly.
None of these work. 4 and 5 give errors that the port number is required.
3 gives an error that http://localhost/WebGoat:8080 cannot be reached (probably because the port number is at the end)
2 gives an error that http://localhost:8080 cannot be reached (because there isn't anything to find there)
1 just doesn't find WebGoat at all but doesn't produce connection errors (because I think it is successfully connecting to a web server I have running on port 80 that has nothing to do with WebGoat)
Here is an example of cannot connect errors I'm seeing: 2020-08-17T14:41:01.1314347Z ERROR ZAP failed to access: http://localhost/WebGoat:8080 (one of the last lines of the logs below)
The full log of the run that is from is attached here
Hello, I am trying to test the ZAP Scanner Task in azure pipelines on WebGoat_Legacy6.0.
The Problem: the azure pipeline extension seems to append the port number to the end of the url, even when a path is provided to that url (example: http://localhost/WebGoat:8080)
To do this, I would like to have zap scan http://localhost:8080/WebGoat and any other paths associated with WebGoat. I have tried the following: 1) using an UNtargeted scan 2) using a targeted scan with http://localhost for url and 8080 for port 3) using a targeted scan with http://localhost/WebGoat for url and 8080 for port 4) using a targeted scan with http://localhost:8080 for url and blank port 5) using a targeted scan with http://localhost:8080/WebGoat for url and blank port
6) I also tried to use a context file and I did see the other issue post about how to (theoretically) make it work by changing the parameter name in the yaml... however, I couldn't tell by looking at the logs whether or not the context file was actually being used. Additionally, even if it was being used, I'm not sure I set it up properly.
None of these work. 4 and 5 give errors that the port number is required. 3 gives an error that http://localhost/WebGoat:8080 cannot be reached (probably because the port number is at the end) 2 gives an error that http://localhost:8080 cannot be reached (because there isn't anything to find there) 1 just doesn't find WebGoat at all but doesn't produce connection errors (because I think it is successfully connecting to a web server I have running on port 80 that has nothing to do with WebGoat)
Here is an example of cannot connect errors I'm seeing: 2020-08-17T14:41:01.1314347Z ERROR ZAP failed to access: http://localhost/WebGoat:8080 (one of the last lines of the logs below)
The full log of the run that is from is attached here