0

I'm trying to set configs when I start zap.sh as described here. 

docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.key=0123456789 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE -config scanner.threshold=HIGH -config context.excregexes='^(?:(?!https?:\/\/example\.com).*).$'

But when I start a scan pointed at say google.com. It shows this in the logs

16818 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host https://google.com | TestPathTraversal strength MEDIUM threshold MEDIUM

which suggests that the scanner strength and threshold changes are being ignored along with my exclude regex of anything not on example.com. What am I doing wrong?

Note: Using owasp/zap2docker-stable, trying to run with a slightly modified version of this.

Cynic
  • 6,779
  • 2
  • 30
  • 49

1 Answers1

0

First you seem to have tried to set Strength twice. Also setting the default would only matter if the scanners were set to use the default.

Second you should try setting/perfecting the regexs via the gui until you're sure it is correct.

kingthorin
  • 1,419
  • 9
  • 18
  • Hey thanks for pointing out that duplicate ```scanner.strength=``` the second one was supposed to be ```scanner.threshold=``` so I've edited that in. That being said this doesn't fix the issue and your answer doesn't really address the question asked, of how these are supposed to be passed. I am just running a default scan. – Cynic Jul 18 '17 at 16:54
  • Is there a reason you're trying to set everything with the commandline versus using the web API? Excluding from a context will also only exclude from scan if you're scanning the context in question. I think what you're actually after is setting "Exclude From Proxy", "Exclude From Spider", or "Exclude From Scanner". – kingthorin Jul 19 '17 at 00:49
  • Also it seems awkward (though should be possible) to exclude everything but something (example.com), when you could simply include only that thing (example.com). (Exclude from context vs Include in context.) – kingthorin Jul 19 '17 at 00:56
  • Last one for tonight, though I don't really think it has any bearing on what you're experiencing or trying to do. You forgot to escape the period in your regex in the domain name. I can try to answer your question here but you're likely to get more eyes if you post to the user group https://groups.google.com/forum/#!forum/zaproxy-users – kingthorin Jul 19 '17 at 01:00
  • No I had to move on to something else for a bit. I'm starting to think there's a bug because when the server starts on the docker image it does print out ```INFO org.parosproxy.paros.common.AbstractParam - Setting config scanner.strength = INSANE was null``` , etc. So it seems to think it's setting it, just doesn't use it when you start a scan. Do you by any chance know how you would set these in the scanner example instead? https://github.com/zaproxy/zap-api-python/blob/master/src/examples/basic-spider-scan.py – Cynic Aug 05 '17 at 10:57
  • You mean something like this? https://github.com/zaproxy/zaproxy/blob/develop/build/docker/zap-full-scan.py#L332 `zap.ascan.set_scanner_alert_threshold(id=scanner, alertthreshold='OFF', scanpolicyname=scan_policy)` You probably don't want to set it as `'OFF'` but still you get the idea.... – kingthorin Aug 09 '17 at 16:43