Back
Featured image of post Solving issue the POST scan in zap-cli not work

Solving issue the POST scan in zap-cli not work

During the test, I found that POST-based scanning(active-scan / quick-scan) was not working in zap-cli 😱 This problem is zap-cli issue, and it has already been reported as an issue below.

https://github.com/Grunny/zap-cli/issues/73

So while testing this, finally I find a way to solve it and share it. This is a trick using ZAP’s Attack mode. When Attack mode is activated, active-scan basically operates for targets corresponding to scope through Context.

3ohzdIuqJoo8QdKlnW

Now result is accumulated in the ZAP, and if only the GET is scanned through the zap-cli, the result of the POST may be added.

TL;DR

  1. Start ZAP
  2. Change mode to attack mode with ZAP API
    • /JSON/core/action/setMode/?mode=attack
  3. Add scope target URL
  4. Include POST URL in sitetree (At this point, the scan already starts.)
  5. Waiting Attack Mode Queue and Run quick-scan or active-scan

Step by Step

Starting ZAP

Prepare a ZAP! Open ZAP GUI or zap.sh, zap-cli

$ zap-cli start

Call this API for change attack mode

Can’t change the mode directly in zap-cli. So call the ZAP API for change attack mode.

{ZAP-API-HOST}/JSON/core/action/setMode/?mode=attack

// refer: http://localhost:8090/UI/core/action/setMode/
// API: http://localhost:8090/JSON/core/action/setMode/?mode=attack

스크린샷 2021-11-13 오전 1 10 20

Add scope target URL (using context)

$ zap-cli context new NAME
$ zap-cli context include -n NAME -p your_target_url.*

Include POST URL in sitetree

$ curl -i -k http://your_target_url -X POST -d "blah=1234" --proxy http://your_zap_api_port

Run quick-scan or active-scan. (and waiting attack mode)

when scan is completed, the result of POST has already been scanned in attack mode and the result appears together.

141495796-e7bf7c23-696b-432e-867e-f71851ab15dd

And if the attack mode scan ends faster than quick-scan/active-scan, the results may not come out properly. In this case, you can check the status of the scan of attack mode through the attack mode queue API 😎

{ZAP-API-HOST}/JSON/ascan/view/attackModeQueue
Status Response
Success or None {"attackModeQueue":"-1"}
Scanning {"attackModeQueue":"0"}

스크린샷 2021-11-13 오전 1 11 00

References