0

我正在尝试使用 zap 代理进行主动扫描。代码如下所示:

// /spider/action/scan/ and wait till it finishes
int scanId = StartScanning(clientApi, API_KEY, "https://contosco.com/Home.aspx");
PollTheSpiderTillCompletion(clientApi, scanId);

// /ascan/action/scan/ and wait till it finishes
int activeScanId = StartActiveScanning(clientApi, API_KEY, "https://contosco.com/Home.aspx");
PollTheActiveScannerTillCompletion(clientApi, activeScanId);

蜘蛛正确遍历应用程序中的所有 url。然而,主动扫描只命中第一个 url 并停止。有没有办法主动扫描所有网址(或者我应该先获取蜘蛛报告,然后遍历蜘蛛报告并从蜘蛛报告中扫描每个网址)?

完整来源:

private static int StartScanning(ClientApi api, string apiKey, string url)
{
  var apiResponse = api.spider.scan(apiKey, url, "");
  string scanid = ((ApiResponseElement)apiResponse).Value;
  return int.Parse(scanid);
}

private static int StartActiveScanning(ClientApi api, string apiKey, string url)
{
  var apiResponse = api.ascan.scan(apiKey, url, "true", "", "", "", "");
  string activeScanId = ((ApiResponseElement)apiResponse).Value;
  return int.Parse(activeScanId);
}

private static void PollTheSpiderTillCompletion(ClientApi api, int scanid)
{
  int spiderProgress;
  while (true)
  {
    Thread.Sleep(1000);
    spiderProgress = int.Parse(((ApiResponseElement)api.spider.status(Convert.ToString(scanid))).Value);
    if (spiderProgress >= 100)
      break;
  }

  Thread.Sleep(10000);
}

private static void PollTheActiveScannerTillCompletion(ClientApi api, int activeScanId)
{
  int activeScannerprogress;
  while (true)
  {
    Thread.Sleep(5000);
    activeScannerprogress = int.Parse(((ApiResponseElement)api.ascan.status(Convert.ToString(activeScanId))).Value);
    if (activeScannerprogress >= 100)
      break;
  }
}
4

1 回答 1

0

您使用的是哪个客户端库?

您应该等到蜘蛛完成,但 'PollTheSpiderTillCompletion' 暗示这正在发生。

在底层 ZAP API 中,您需要指定活动扫描器是否应该递归到子页面。我怀疑你的代码没有这样做,但我不认识那个 API,所以不知道它是否正在发生。

于 2016-08-18T14:35:15.700 回答