Closed JuraLys closed 3 weeks ago
Visiting https://vseosvita.ua/ I get a quick popup that said something like "verifying that you are human". This led me to suspect that there are anti-automation measures being employed by this site. A quick test with the AJAX spider confirmed this. As such this is not a bug in ZAP - ZAP is intended to be used by people who have permission to attack a target. If you do have permission to use automated tools then you need to ask your clients to provide an instance without such measured in place.
Visiting https://vseosvita.ua/ I get a quick popup that said something like "verifying that you are human". This led me to suspect that there are anti-automation measures being employed by this site. A quick test with the AJAX spider confirmed this. As such this is not a bug in ZAP - ZAP is intended to be used by people who have permission to attack a target. If you do have permission to use automated tools then you need to ask your clients to provide an instance without such measured in place.
but other similar tools able to scan this site, see Acunetix report for example 20240531_Comprehensive_new__https_vseosvitaua.zip
Its still not a bug in ZAP - we do not claim any sort of support for that sort of feature. Feel free to raise an enhancement request. Even better if it explains / links to potential solutions.
Its still not a bug in ZAP - we do not claim any sort of support for that sort of feature. Feel free to raise an enhancement request. Even better if it explains / links to potential solutions.
but ZAP should not display error about AJAX spider if it is not used for scan
The bug description is Failed to attack URL error appeared during autoscan specific site vseosvita.ua
😁
I agree ZAP should not display an error about the AJAX spider - that looks like a (relatively minor) bug.
Describe the bug
Failed to attack URL error appeared during autoscan specific site vseosvita.ua
Steps to reproduce the behavior
Run ZAP and start autoscan specific site vseosvita.ua using only traditional spider
Expected behavior
Autoscan should complete without errors
Software versions
ZAP Version: 2.15.0
Installed Add-ons: [[id=alertFilters, version=21.0.0], [id=ascanrules, version=66.0.0], [id=ascanrulesBeta, version=53.0.0], [id=authhelper, version=0.13.0], [id=automation, version=0.40.1], [id=bruteforce, version=16.0.0], [id=callhome, version=0.12.0], [id=commonlib, version=1.26.0], [id=coreLang, version=15.0.0], [id=custompayloads, version=0.13.0], [id=database, version=0.4.0], [id=diff, version=15.0.0], [id=directorylistv1, version=8.0.0], [id=directorylistv2_3, version=4.0.0], [id=directorylistv2_3_lc, version=4.0.0], [id=domxss, version=19.0.0], [id=encoder, version=1.5.0], [id=exim, version=0.9.0], [id=formhandler, version=6.6.0], [id=fuzz, version=13.13.0], [id=gettingStarted, version=17.0.0], [id=graaljs, version=0.7.0], [id=graphql, version=0.24.0], [id=groovy, version=3.2.0], [id=help, version=18.0.0], [id=hud, version=0.19.0], [id=imagelocationscanner, version=5.0.0], [id=invoke, version=15.0.0], [id=jruby, version=8.0.0], [id=jython, version=15.0.0], [id=network, version=0.16.0], [id=oast, version=0.18.0], [id=onlineMenu, version=13.0.0], [id=openapi, version=41.0.0], [id=plugnhack, version=13.0.0], [id=portscan, version=10.0.0], [id=postman, version=0.4.0], [id=pscanrules, version=58.0.0], [id=pscanrulesBeta, version=37.0.0], [id=quickstart, version=47.0.0], [id=replacer, version=18.0.0], [id=reports, version=0.32.0], [id=requester, version=7.6.0], [id=retest, version=0.9.0], [id=retire, version=0.35.0], [id=reveal, version=8.0.0], [id=scripts, version=45.4.0], [id=selenium, version=15.25.0], [id=soap, version=23.0.0], [id=spider, version=0.11.0], [id=spiderAjax, version=23.19.0], [id=sqliplugin, version=15.0.0], [id=svndigger, version=4.0.0], [id=tips, version=13.0.0], [id=tokengen, version=15.0.0], [id=treetools, version=8.0.0], [id=wappalyzer, version=21.37.0], [id=webdriverwindows, version=89.0.0], [id=websocket, version=31.0.0], [id=zest, version=45.0.0]]
Operating System: Windows 10 Architecture: amd64 CPU Cores: 8 Max Memory: 8 GB Java Version: Eclipse Adoptium 21.0.1 System's Locale: uk_UA Display Locale: en_GB Format Locale: uk_UA Default Charset: UTF-8 ZAP Home Directory: C:\Users\Admin\ZAP\ ZAP Installation Directory: C:\Program Files\ZAP\Zed Attack Proxy.\ Look and Feel: Metal (javax.swing.plaf.metal.MetalLookAndFeel)
Screenshots
Errors from the zap.log file
ZAP-logs.zip ZAP-failed-attack.txt
Additional context
No response
Would you like to help fix this issue?