search

mozilla / minion-zap-plugin

Minion ZAP Plugin
14 stars 8 forks source link

active scan needs to be added to a context #22

Closed yeukhon closed 11 years ago

yeukhon commented 11 years ago

Stephen from QA team reported scan on https://quality-dev.allizom.org/ has been on-going for days.

Even though I don't have access to the production, I am able to "reproduce" the situation.

The issue is that unless we add the target url to a context, it will stuck at starting but never actually scanning.

Here is a test scrip to demonstrate the fix.


from zapv2 import ZAPv2 as zap

z = zap(proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})

target = 'https://quality-dev.allizom.org'
try:
    z.urlopen(target)
except IOError:
    import time
    time.sleep(3)
z.spider.scan(target)
import time
while True:
    if int(z.spider.status) < 100:
        print z.spider.status
        time.sleep(5)
    else:
        break

z.context.new_context()
z.context.include_in_context('1', target)
#z.ascan.scan('https://quality-dev.allizom.org')
z.context.set_context_in_scope('1', True)
z.ascan.scan(target, recurse=True, inscopeonly=True)
print z.ascan.status
import time
while True:
    if int(z.ascan.status) < 100:
        print z.ascan.status
        time.sleep(5)
    else:
        break

I will make a patch later (food time...)

Thanks Stephen!

result


147804 [pool-1-thread-1] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...
147805 [Thread-9] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true
152725 [ZAP-ProxyThread] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
152931 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestPathTraversal strength MEDIUM threshold MEDIUM
163921 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestPathTraversal in 10.99s
163922 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestRemoteFileInclude strength MEDIUM threshold MEDIUM
172342 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestRemoteFileInclude in 8.42s
172342 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestRedirect strength MEDIUM threshold MEDIUM
172846 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestRedirect in 0.504s
172847 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | Csrftokenscan strength MEDIUM threshold MEDIUM
172881 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | Csrftokenscan in 0.034s
172881 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestServerSideInclude strength MEDIUM threshold MEDIUM
176193 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestServerSideInclude in 3.312s
176193 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestCrossSiteScriptV2 strength MEDIUM threshold MEDIUM
178382 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestCrossSiteScriptV2 in 2.189s
178383 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | SessionFixation strength MEDIUM threshold MEDIUM
178412 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | SessionFixation in 0.029s
178412 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | LDAPInjection strength MEDIUM threshold MEDIUM
180338 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | LDAPInjection in 1.926s
180338 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestSQLInjection strength MEDIUM threshold MEDIUM
203201 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestSQLInjection in 22.862s
203201 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | SQLInjectionMySQL strength MEDIUM threshold MEDIUM
205005 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | SQLInjectionMySQL in 1.804s
205005 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | SQLInjectionHypersonic strength MEDIUM threshold MEDIUM
207189 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | SQLInjectionHypersonic in 2.184s
207190 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | SQLInjectionOracle strength MEDIUM threshold MEDIUM
212957 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | SQLInjectionOracle in 5.767s
212958 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | SQLInjectionPostgresql strength MEDIUM threshold MEDIUM
215202 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | SQLInjectionPostgresql in 2.244s
215202 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestDirectoryBrowsing strength MEDIUM threshold MEDIUM
215495 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestDirectoryBrowsing in 0.293s
215495 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestInfoSessionIdURL strength MEDIUM threshold MEDIUM
215514 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestInfoSessionIdURL in 0.019s
215514 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestClientBrowserCache strength MEDIUM threshold MEDIUM
215533 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestClientBrowserCache in 0.019s
215533 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestExternalRedirect strength MEDIUM threshold MEDIUM
216356 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestExternalRedirect in 0.823s
216356 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestInjectionCRLF strength MEDIUM threshold MEDIUM
219809 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestInjectionCRLF in 3.453s
219809 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | TestParameterTamper strength MEDIUM threshold MEDIUM
225769 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | TestParameterTamper in 5.96s
225769 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | HPP strength MEDIUM threshold MEDIUM
225788 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | HPP in 0.019s
225788 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | UsernameEnumeration strength MEDIUM threshold MEDIUM
225789 [Thread-32] WARN org.zaproxy.zap.extension.ascanrulesBeta.UsernameEnumeration  - For the Username Enumeration scanner to actually scan this URL, the URL *must* be added to a context, and flagged as the login request in that context!
225813 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | UsernameEnumeration in 0.025s
225813 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://quality-dev.allizom.org | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
225834 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin https://quality-dev.allizom.org | ScriptsActiveScanner in 0.021s
225835 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host https://quality-dev.allizom.org in 73.109s
225846 [Thread-10] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 73.121s