zaproxy: AJAX Spider - Default Allowed Resources Missing
Is your feature request related to a problem? Please describe.
Hi ZAP.
This is a simple html code that invokes the http request when you click a button using $.ajax. But… Spider and Ajax Spider does not seem to detect this.
<html>
<script src="https://code.jquery.com/jquery-3.6.3.min.js" integrity="sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=" crossorigin="anonymous"></script>
<body>
<button onclick="btnClick()">Login</button>
<script>
function btnClick(){
$.ajax({
type: "GET",
contentType: "application/json",
url: '/alert.js',
data: JSON.stringify({"id":"1234"}),
dataType: 'json'
})
}
</script>
</body>
</html>
- Context Scope:
https://pocs.hahwul.com.* - Target URL: https://pocs.hahwul.com/logintest.html
Ajax Spider
Spider
I changed the advanced option of Ajax Spider, but the results are the same 😭 I hope it’s detected personally. Is there a good solution?
cc, @pyo-counting
Describe the solution you’d like
Detects $.ajax requests.
Describe alternatives you’ve considered
.
Screenshots
No response
Additional context
No response
Would you like to help fix this issue?
- Yes
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 19 (14 by maintainers)
Commits related to this issue
- spiderAjax: add default resources to new config Ensure the default allowed resources are added when using a new configuration. Correct equals method of `AllowedResource` and add `toString()` to ease ... — committed to thc202/zap-extensions by thc202 a year ago
- spiderAjax: add allowed resources if none present Add the default allowed resources if none is present when updating from old versions to ensure the defaults are actually used, as they could be missi... — committed to thc202/zap-extensions by thc202 a year ago
@thc202 I just tested it in the latest version of AjaxSpider and it detects alert.js.
And now the default allowed resources also have a values.
It was really nice to learn more about ZAP apart from solving issues! Thank you for always giving me motivation 😄
@nitek29 that is a known restriction, and one we’d like to have implemented. Best to comment on https://github.com/zaproxy/zaproxy/issues/6461 rather than this closed issue.
I see, your case is different, we’ll have to set the defaults to existing homes as well.
I can reproduce this using the latest weekly and a clean config dir:
./zap.sh -port 9090 -dir ajaxtestFYI I’m surprised the AJAX Spider can not cope with this. It works by launching browsers and clicking on stuff, and it should click on all buttons. The fact that the button is using a
$.ajaxrequest shouldnt matter - the browser should handle that. You can configure it to launch non headless browsers and then you can see what its doing. I’ll try and have a play with this asap…Hello @thc202 @psiinon
It seems that “allowed resources” parameter isn’t available in the Automation Framework.
Is this issue known ?
PS: I can’t generate automation conf file from a given session with the cmdline :
zap.sh -cmd -autogenconf -session /opt/zaproxy/mysession.session@hahwul the latest version of AJAX Spider add-on should address the case you mentioned.
I’ve just tried this and confirm the AJAX Spider doesnt work with it 😦 Why not? Because for some reason https://code.jquery.com/jquery-3.6.3.min.js is treated as being out of scope 😦 When I add that domain to the scope then the AJAX Spider works. This is a bug - all GET requests for JS files should be treated as being in scope.
Thanks! This is exactly the sort of info we need 😁