failIfFoundUrlsLessThan setting in ZAP Advanced seems to have no effect #1551
Description
🐞 Bug report
Describe the bug
Hello,
I have a use-case where I want to fail the ZAP Advanced scan if the login failed for ZAP AJAX spider.
The only idea that came to my mind is that I can set the failIfFoundUrlsLessThan on the spider accordingly, but when I tried to do a PoC with Juiceshop example from here, setting failIfFoundUrlsLessThan to for example 2000 doesn't seem to have any impact.
In general the spider claims it found 55 URLs.
Steps To Reproduce
- Prepare an SCB setup with Juiceshop and ZAP Advanced scan installed
- Run
kubectl applyon the included config.
Expected behavior
The scan should fail according to the setting.
System (please complete the following information):
Screenshots / Logs
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: v1
kind: ConfigMap
metadata:
name: zap-advanced-scan-config
data:
2-zap-advanced-scan.yaml: |-
# ZAP Contexts Configuration
contexts:
# Name to be used to refer to this context in other jobs, mandatory
- name: scb-juiceshop-context
# The top level url, mandatory, everything under this will be included
url: http://juice-shop.default.svc:3000/
# An optional list of regexes to include
includePaths:
- "http://juice-shop.default.svc:3000.*"
# An optional list of regexes to exclude
excludePaths:
- ".*socket\\.io.*"
- ".*\\.png"
- ".*\\.jpeg"
- ".*\\.jpg"
- ".*\\.woff"
- ".*\\.woff2"
- ".*\\.ttf"
- ".*\\.ico"
# Auth Credentials for the scanner to access the application
# Can be either basicAuth or a oidc token.
# If both are set, the oidc token takes precedent
authentication:
# Currently supports "basic-auth", "form-based", "json-based", "script-based"
type: "json-based"
# json-based requires no further configuration
# zapConfiguration.contexts[0].authentication.json-based -- Configure `type: json-based` authentication (more: https://www.zaproxy.org/docs/api/#json-based-authentication).
json-based:
loginUrl: "http://juice-shop.default.svc:3000/rest/user/login"
# must be escaped already to prevent yaml parser colidations '{"user":{"id":1,"email":"test@test.com"}}''
loginRequestData: '{"email":"admin@juice-sh.op","password":"admin123"}'
# Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)
verification:
# isLoggedInIndicator: "\Q<a href="password.jsp">\E"
isLoggedOutIndicator: '\Q{"user":{}}\E'
users:
- name: juiceshop-user-1
username: admin@juice-sh.op
password: admin123
forced: true
session:
# Currently supports "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"
type: "scriptBasedSessionManagement"
# scriptBasedSessionManagement configuration details
scriptBasedSessionManagement:
name: "juiceshop-session-management.js"
# -- Enables the script if true, otherwise false
enabled: true
# Script engine values: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts
engine: "Oracle Nashorn"
# Must be a full path to the script file inside the ZAP container (corresponding to the configMap FileMount)
filePath: "/home/zap/.ZAP_D/scripts/scripts/session/juiceshop-session-management.js"
# A short description for the script.
description: "This is a JuiceShop specific SessionManagement Script used to handle JWT."
# ZAP Spiders Configuration
spiders:
- name: scb-juiceshop-spider
# String: Name of the context to spider, default: first context
context: scb-juiceshop-context
# String: Name of the user to authenticate with and used to spider
user: juiceshop-user-1
# String: Url to start spidering from, default: first context URL
url: http://juice-shop.default.svc:3000/
# zapConfiguration.spiders[0].ajax -- Bool: Whether to use the ZAP ajax spider, default: false
ajax: true
# Int: Fail if spider finds less than the specified number of URLs, default: 0
failIfFoundUrlsLessThan: 2000
# Int: Warn if spider finds less than the specified number of URLs, default: 0
warnIfFoundUrlsLessThan: 0
# Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDuration: 5
# Int: The maximum tree depth to explore, default 5
maxDepth: 10
# ZAP ActiveScans Configuration
scanners:
- name: scb-juiceshop-scan
# String: Name of the context to attack, default: first context
context: scb-juiceshop-context
# String: Name of the user to authenticate with and used to spider
user: juiceshop-user-1
# String: Url to start scaning from, default: first context URL
url: http://juice-shop.default.svc:3000/
# Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxRuleDurationInMins: 1
# Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 10
# Int: The max number of threads per host, default: 2
threadPerHost: 5
# Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
delayInMs: 0
# Bool: If set will add an extra query parameter to requests that do not have one, default: false
addQueryParam: false
# Bool: If set then automatically handle anti CSRF tokens, default: false
handleAntiCSRFTokens: false
# Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
injectPluginIdInHeader: false
# Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
scanHeadersAllRequests: false
---
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-authenticated-full-scan-juiceshop"
labels:
organization: "OWASP"
spec:
scanType: "zap-advanced-scan"
parameters:
# target URL including the protocol
- "-t"
- "http://juice-shop.default.svc:3000/"
volumeMounts:
- name: zap-advanced-scan-config
mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml
subPath: 2-zap-advanced-scan.yaml
readOnly: true
volumes:
- name: zap-advanced-scan-config
configMap:
name: zap-advanced-scan-config
Additional context
Metadata
Metadata
Assignees
Labels
Type
Projects
Status