试图在网站上自动进行zap代理扫描。下面是我的流量
- 启动Zap代理
- 创建新会话(
/JSON/core/action/newSession/?apikey=12345&name=NewSession&overwrite=true( - 创建新上下文(
/JSON/context/action/newContext/?apikey=12345&contextName=NewContext( - 将包含和排除正则表达式URL模式添加到上下文(
/JSON/context/action/setContextRegexs/?apikey=12345&contextName=NewContext&incRegexs=[https://myowsapjuiceshop.herokuapp.com/*]&excRegexs=[^(?:(?!http.*://myowsapjuiceshop.herokuapp.com).*).$]( - 将技术添加到上下文(
/JSON/context/action/includeContextTechnologies/?apikey=12345&contextName=NewContext&technologyNames=Db.MySQL%2CLanguage.Java%2COS.Linux%2CWS.Tomcat( - 使用代理集运行UI测试
- 运行活动扫描(
/JSON/ascan/action/scan/?apikey=12345&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2(//2是正确的contextID - 等待活动扫描完成(
/JSON/ascan/view/status/?apikey=12345&scanId=5(//5是我应该从步骤7中获得的扫描ID(运行活动扫描响应( - 获取警报json(
/JSON/alert/view/alerts/?apikey=12345&baseurl=&start=&count=&riskId=(
在第7步之前一切都很好,Im在第七步卡住了。根据文档"根据给定的URL和/或上下文运行活动扫描程序……"。我知道我可以根据上下文运行活动扫描仪,当提到ContextId时,URL是可选的。
但是,当我点击api以使用正确的apikey和contextId/JSON/ascan/action/scan/?apikey=12345&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2运行活动扫描时
响应为{"code":"missing_parameter","message":"Missing Parameter"}
我得到以下错误在zap日志
1581054 [ZAP-ProxyThread-65] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/action/scan/] from [127.0.0.1]:
Missing Parameter (missing_parameter) : url
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:874)
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:369)
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
at java.lang.Thread.run(Thread.java:748)
我想在所有记录的URL上运行活动ascan,这些URL与我在上下文中设置的include和exclude regex相匹配。如有任何帮助,我们将不胜感激。
您在上下文中定义了任何URL吗?如果是,"站点"树中有这些URL吗?