Reputation: 67
OWASP Zap Docker scan spidering out-of-scope items
When starting a scan with docker run -t owasp/zap2docker-stable zap-baseline.py -t https://10.1.2.3/zapwave the spider will follow back to the root URL https://10.1.2.3 and continue to scan out of scope items. eg /ghost, /mono, /webgoat
Is it possible to limit the scan scope to just the specified directory or below? The web application in this example is OWASP DWVA.
Upvotes: 1
Views: 837
Answers (1)
Reputation: 1526
You haven't passed it a context file from which it would constraint to scope.
The baseline scan documentation is here: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
In particular you probably care about:
-n context_file context file which will be loaded prior to spidering the target
You should probably also have a look at: https://blog.mozilla.org/security/2017/01/25/setting-a-baseline-for-web-security-controls/
Also it's probably easiest to configure, test, and export the context from the GUI before trying to use it with automation.
Upvotes: 3
Related Questions
- OWASP/ZAP dangling when trying to scan
- Owasp ZAP not performing authentication during active scan using "Form-Based-Authentication" ON python project
- ZAP active scan works in desktop but fails in docker image with url_not_in_context error
- How to run ZAP Scan to scan another container
- Zap docker - Active scan
- OWASP ZAP docker returns 'Connection refused' when running active-scan
- Scanning Rest API's through OWASP zap inside a docker environment
- How to run OWASP Zed Attack Proxy ZAP's zap-api-scan.py without requiring docker
- Zap scan is not running SOAP injection test
- Pass login parameters to scan with owasp zap on docker command