Even though I don't have access to the production, I am able to "reproduce" the situation.
The issue is that unless we add the target url to a context, it will stuck at starting but never actually scanning.
Here is a test scrip to demonstrate the fix.
from zapv2 import ZAPv2 as zap
z = zap(proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})
target = 'https://quality-dev.allizom.org'
try:
z.urlopen(target)
except IOError:
import time
time.sleep(3)
z.spider.scan(target)
import time
while True:
if int(z.spider.status) < 100:
print z.spider.status
time.sleep(5)
else:
break
z.context.new_context()
z.context.include_in_context('1', target)
#z.ascan.scan('https://quality-dev.allizom.org')
z.context.set_context_in_scope('1', True)
z.ascan.scan(target, recurse=True, inscopeonly=True)
print z.ascan.status
import time
while True:
if int(z.ascan.status) < 100:
print z.ascan.status
time.sleep(5)
else:
break
I will make a patch later (food time...)
Thanks Stephen!
result
147804 [pool-1-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
147805 [Thread-9] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
152725 [ZAP-ProxyThread] INFO org.parosproxy.paros.core.scanner.Scanner - scanner started
152931 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestPathTraversal strength MEDIUM threshold MEDIUM
163921 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestPathTraversal in 10.99s
163922 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestRemoteFileInclude strength MEDIUM threshold MEDIUM
172342 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestRemoteFileInclude in 8.42s
172342 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestRedirect strength MEDIUM threshold MEDIUM
172846 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestRedirect in 0.504s
172847 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | Csrftokenscan strength MEDIUM threshold MEDIUM
172881 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | Csrftokenscan in 0.034s
172881 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestServerSideInclude strength MEDIUM threshold MEDIUM
176193 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestServerSideInclude in 3.312s
176193 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestCrossSiteScriptV2 strength MEDIUM threshold MEDIUM
178382 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestCrossSiteScriptV2 in 2.189s
178383 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | SessionFixation strength MEDIUM threshold MEDIUM
178412 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | SessionFixation in 0.029s
178412 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | LDAPInjection strength MEDIUM threshold MEDIUM
180338 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | LDAPInjection in 1.926s
180338 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestSQLInjection strength MEDIUM threshold MEDIUM
203201 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestSQLInjection in 22.862s
203201 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | SQLInjectionMySQL strength MEDIUM threshold MEDIUM
205005 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | SQLInjectionMySQL in 1.804s
205005 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | SQLInjectionHypersonic strength MEDIUM threshold MEDIUM
207189 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | SQLInjectionHypersonic in 2.184s
207190 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | SQLInjectionOracle strength MEDIUM threshold MEDIUM
212957 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | SQLInjectionOracle in 5.767s
212958 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | SQLInjectionPostgresql strength MEDIUM threshold MEDIUM
215202 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | SQLInjectionPostgresql in 2.244s
215202 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestDirectoryBrowsing strength MEDIUM threshold MEDIUM
215495 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestDirectoryBrowsing in 0.293s
215495 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestInfoSessionIdURL strength MEDIUM threshold MEDIUM
215514 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestInfoSessionIdURL in 0.019s
215514 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestClientBrowserCache strength MEDIUM threshold MEDIUM
215533 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestClientBrowserCache in 0.019s
215533 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestExternalRedirect strength MEDIUM threshold MEDIUM
216356 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestExternalRedirect in 0.823s
216356 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestInjectionCRLF strength MEDIUM threshold MEDIUM
219809 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestInjectionCRLF in 3.453s
219809 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | TestParameterTamper strength MEDIUM threshold MEDIUM
225769 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | TestParameterTamper in 5.96s
225769 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | HPP strength MEDIUM threshold MEDIUM
225788 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | HPP in 0.019s
225788 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | UsernameEnumeration strength MEDIUM threshold MEDIUM
225789 [Thread-32] WARN org.zaproxy.zap.extension.ascanrulesBeta.UsernameEnumeration - For the Username Enumeration scanner to actually scan this URL, the URL *must* be added to a context, and flagged as the login request in that context!
225813 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | UsernameEnumeration in 0.025s
225813 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://quality-dev.allizom.org | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
225834 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://quality-dev.allizom.org | ScriptsActiveScanner in 0.021s
225835 [Thread-11] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host https://quality-dev.allizom.org in 73.109s
225846 [Thread-10] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 73.121s
Stephen from QA team reported scan on https://quality-dev.allizom.org/ has been on-going for days.
Even though I don't have access to the production, I am able to "reproduce" the situation.
The issue is that unless we add the target url to a context, it will stuck at starting but never actually scanning.
Here is a test scrip to demonstrate the fix.
I will make a patch later (food time...)
Thanks Stephen!
result