Ajax Spider with Context and User

[rucciva]

hi, how do you run zap-cli ajax-spider with a context and a user? similar to zap-cli spider -c context -u user

[tony]

Same. This is a very common pattern and there's no working example for ajax spidering for authorization in CLI for zap-cli or zap in general. I can do it in GUI - but that's not useful because apparently they're practically separate applications.

[rucciva]

Hi @tony , it seems like this tools is no longer being maintained.

my workaround is to run spider before ajax spider since i guess the session after spidering is persisted.

I'm also guessing that we could also run ajax spider by using quick-scan with custom script scanner
only (if im not wrong the scanner id is 50000) after disabling all the custom active-scan script (thus no active-scan script will run).

[tony]

Thank you for the response @rucciva!

my workaround is to run spider before ajax spider since i guess the session after spidering is persisted.

Can you give me an example of what it looks like in CLI commands?

I'm also guessing that we could also run ajax spider by using quick-scan with custom script scanner
only (if im not wrong the scanner id is 50000) after disabling all the custom active-scan script (thus no active-scan script will run).

An example of this, if such a thing existed would be incredibly valuable!

[rucciva]

sure, something like this (assuming you have started the zap daemon before)

zap-cli spider -c "$CONTEXT_NAME" -u "$CONTEXT_USER" "$URL" && zap-cli ajax-spider "$URL"

or with quick-scan

zap-cli quick-scan --ajax-spider  -c "$CONTEXT_NAME" -u "$CONTEXT_USER" --scanners "50000" "$URL"

[tony]

Thank you! I will give this a try in the AM tomorrow (Texas time)