Reputation: 101
I am starting with OWASP ZAP. After configure the proxy, and "capture"the web http://webscantest.com/ in OWASP ZAP, I do an "Spider" attack
Then, in the website map, I do not find the folder "shutterdb" (which exists), why?
On the other hand, I try to do a fuzzing in the URL http://webscantest.com/login.php : Right click in the request window, text "passwd=ZAP"
and add the Playloads and click on "Start Fuzzer"
We results show "Code 302, Reason Found" but 0 bytes in response size and nothing in "Status"...What means this?
Many thanks in advance for your comments.
Upvotes: 0
Views: 1408
Reputation: 156
The Spider basically identifies all the hyperlinks in the page and adds them to the list of URLs to visit and the process continues recursively as long as new resources are found. https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider
Meaning that even if 'shutterdb' resource exists, it will not be found by the spider if there is no hyperlink pointing there.
About the 302 response, it is the HTTP status code for URL redirections https://en.wikipedia.org/wiki/HTTP_302
302 Found redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the Location header (/login.php)
HTTP/1.1 302 Found
Date: Mon, 25 Mar 2019 07:57:41 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: login_error=Bad+user+name+or+password; expires=Mon, 25-Mar-2019 09:57:41 GMT; Max-Age=7200
Location: /login.php
Content-Length: 0
Connection: close
Content-Type: text/html
Set-Cookie: NB_SRVID=srv140717; path=/
Upvotes: 1