zaproxy icon indicating copy to clipboard operation
zaproxy copied to clipboard
verified publisher icon zaproxy

Traditional spider is missing URLs in v2.16.0

Open acardnell-intruder opened this issue 10 months ago • 4 comments

Describe the bug:

I have a very simple Flask app that I use as part of a Gitlab test pipeline to confirm our ZAP configuration is working correctly.

After recently upgrading to v2.16.0 some of the tests have started failing intermittently for the traditional spider with missing URLs reported by zap.spider.all_urls and /or zap.core.urls, even though I can see an alert was raised referencing the URLs.

Steps to reproduce the behavior:

  1. Configure a form-based authentication for an application.
  2. Kick off the traditional spider against the application.
  3. Check if login URL is present in zap.core.urls.

Expected behavior:

URLs, especially those present in alerts, should be returned in zap.core.urls and / or zap.spider.all_urls.

Software Versions:

This is occurring for ZAP v2.16.0 using Docker image tag 20250304 and the Python zap-api-python library v0.4.0.

Screenshots:

Here are some screenshots of the problem (the URL in question below is http://<flask-app-id>/login):

zap.core.urls

Image

zap.core.alerts

Image

This mainly fails for the missing /login URL, although there is also a /blog?title=foo endpoint missing from the results in the screenshot as well, which happens less frequently.

Errors from the zap.log file:

No response

Additional context:

This happens using of a form-based authentication and the presence of the URL /profile in the list of URLs indicates that the login was successful because it is behind authentication, and I have a separate test that confirms the reverse, i.e. /profile is not present when unauthenticated, which passes.

The tests are isolated and a fresh Flask app instance is spun up for each test with no caching or anything between test runs. It happens when running tests locally and on the pipeline so seems unrelated to environment. One thing to note is the failure is not consistent - I'd say it happens roughly 70% of the time, whereas this never failed prior to v2.16.0 and has been working for ~6-8 months.

Finally, I tried switching the spider to use a thread count of 1 but it had no impact.

Would you like to help fix this issue?

  • [x] Yes

acardnell-intruder avatar May 09 '25 15:05 acardnell-intruder

Was the previous version 2.15? Any possibility that you can share the sample app being used?

thc202 avatar May 09 '25 15:05 thc202

The previous version was the Docker image tagged 20241223, which I believe was 2.15.0.

I should be able to share the Docker image for the test Flask application, do you have a problem with me contacting you on the ZAP Slack channel with a link?

acardnell-intruder avatar May 09 '25 15:05 acardnell-intruder

No problem.

thc202 avatar May 09 '25 16:05 thc202

Quick update which will maybe help with the investigation - just trawling through our failing pipelines it appears this also occurs for the AJAX spider as well, so it isn't limited to just the traditional spider as the title suggests.

acardnell-intruder avatar May 12 '25 09:05 acardnell-intruder