Related questions

OWASP ZAP - Access Site tree

2018-07-03 06:52 Mh07 imported from Stackoverflow

I'm using OWASP ZAP API for spidering. I couldn't find the way to get site tree structure via ZAP API. I would like to know if there is anyway I can get Site tree of the URL (with its nodes) via ZAP API?

See also questions close to this topic

  • Protecting against directory traversal

    newbie here, int the following the it takes in a file as a parameter and concatenates it to the directory string, it then looks for the file and using streams fetches and serves the file to the browser for downloading. This code is susceptible to directory traversal and im not sure how to go about hardening the code to counteract this.

    <%
         if(request.getParameter("file")!=null)
        {
            String context = request.getContextPath();

            int BUFSIZE = 4096;
               String filePath;


            filePath = request.getParameter("file");
            File file = new File(getServletContext().getRealPath("/") +context);
            file = new File(file.getParent()+"/documents/"+filePath);       
            int length   = 0;
            ServletOutputStream outStream = response.getOutputStream();
            //response.setContentType("text/html");
            response.setContentLength((int)file.length());
            String fileName = (new File(filePath)).getName();
            response.setHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\"");

            //response.setHeader("Content-Disposition", "attachment; filename=\"" +new Random().nextInt(10000)+ "\"");

            byte[] byteBuffer = new byte[BUFSIZE];
            DataInputStream in = new DataInputStream(new FileInputStream(file));

            while ((in != null) && ((length = in.read(byteBuffer)) != -1))
            {
            outStream.write(byteBuffer,0,length);
            }

            in.close();
            outStream.close();
        }
        else
        {

        }

    %>

  • CSRFGuard loading javascript inject in script tag

    I am trying to work with CSRFGuard API to fix CSRF Vulnerability in my application. For that purpose I am using Javascript injection to do so.

    I am doing so by including the following line in my jsp:

    <script type="text/javascript" src="javascriptservlet"></script>

    When I run it with localhost, it gets loaded in browser perfectly. But when I host my application on a server, it doesnot get loaded. I looked in the response headers and it says

    The origin server did not find a current representation for the target resource or is not willing to disclose that one exists

    I tried to change the script tag like :

    <script type="text/javascript" src="https://<servername>:<port>/appcontext/javascriptservlet"></script>

    but I get same result in response headers and the response from "javascriptservlet" doesnot loaded in browser which is a JavaScript.

    Also when I hit the url in the browser's address bar, I get the response with the Javascript successfully but it is failing to load the Javascript when referred from tag

    I am really stuck with this thing . Any help would be much appreciated.

  • Unable to connect to database after installing bricks on wamp

    I am new to the whole WAMP / PHP.

    I'm trying to install bricks (https://sechow.com/bricks/download.html) and I also downloaded a PHP for conversion from mysql to mysqli since bricks is running an older version of PHP and I'm using the latest one.

    Followed all the steps but when I try to get to login page 1, it states unable to connect to db, any idea why?

  • Finding the downloaded filetype from HTTP message

    I am trying to build a basic downloaded file scanning extension for the popular open source security application ZAP. using the built in sniffer, I can access the HTTP response messages. I am unable to determine the filetype of the file being downloaded. Although the Mozilla blog regarding HTTP talks about using the MIME Type in the 'Content-Type' header to determine the file type, I find that none of the response messages that I get have anything other than application/json or text/html or application/octet-stream. How do I determine if the corresponding HTTP response body contains any particular file type? . I am thus stuck at a dead end!

    I am a beginner in this field and there might be something that I am over looking. Any help or pointers would be greatly appreciated.

  • OWASP ZAP export to CSV?

    Simon (et al), There is a tool I would like to use, Neuralys but it only takes CSV and NESSUS inputs natively, is there a way to convert a ZAP report into a CSV file? Thanks --joe

  • Username and password not accepting in jenkins job

    I am trying to create a jenkins CI pipeline and my code is written using jenkins DSL.Specifically,I am facing issue when am passing username and password to dsl api for ZAP(zad attack proxy) by parameterized Build.The error getting displayed is:

    java.lang.NullPointerException: Cannot invoke method call() on null object

    I believe this means that am passing a null object which is not accepted,but i verified that there was no empty data i was passing to the DSL.

    When i am creating a job with ZAP config using DSL API referrence,it works fine. Not sure where is the issue.Hope somebody can help in this issue.Pls let me know if more details are needed on the above issue.