During the test, I found that POST-based scanning(active-scan / quick-scan) was not working in zap-cli ๐ฑ This problem is zap-cli issue, and it has already been reported as an issue below.
https://github.com/Grunny/zap-cli/issues/73
So while testing this, finally I find a way to solve it and share it. This is a trick using ZAP’s Attack mode. When Attack mode is activated, active-scan basically operates for targets corresponding to scope through Context.
Now result is accumulated in the ZAP, and if only the GET is scanned through the zap-cli, the result of the POST may be added.
TL;DR
- Start ZAP
- Change mode to attack mode with ZAP API
- /JSON/core/action/setMode/?mode=attack
- Add scope target URL
- Include POST URL in sitetree (At this point, the scan already starts.)
- Waiting Attack Mode Queue and Run quick-scan or active-scan
Step by Step
Starting ZAP
Prepare a ZAP! Open ZAP GUI or zap.sh, zap-cli
|
|
Call this API for change attack mode
Can’t change the mode directly in zap-cli. So call the ZAP API for change attack mode.
|
|
Add scope target URL (using context)
|
|
Include POST URL in sitetree
|
|
Run quick-scan or active-scan. (and waiting attack mode)
when scan is completed, the result of POST has already been scanned in attack mode and the result appears together.
And if the attack mode scan ends faster than quick-scan/active-scan, the results may not come out properly. In this case, you can check the status of the scan of attack mode through the attack mode queue API ๐
|
|
Status | Response |
---|---|
Success or None | {"attackModeQueue":"-1"} |
Scanning | {"attackModeQueue":"0"} |