ZAP Spider scan displays 0% status and terminates in Jenkins

1
votes

I am new to ZAP OWASP. I have created a ZAP Jenkins job. I am getting below Message with Form login authentication

7983 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on Context: SecurityTest at Mon Oct 05 10:06:27 EDT 2020
7989 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...

[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]

8023 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
8023 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Scan will be performed from the point of view of User: fred
8044 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: USer
8274 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...
8278 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true

Spider Scanning status is showing only 0% and shows Spider scanning complete: true. It is not displaying a 100% completion and report is not displayed with expected result. How to fix this issue?

    USER user IS NOW ENABLED

[ZAP Jenkins Plugin] ATTACK MODE(S) INITIATED

[ZAP Jenkins Plugin] SPIDER SCAN ENABLED [ TRUE ]

    SPIDER SCAN SETTINGS
        AUTHENTICATED SPIDER SCAN [ TRUE ]
        RECURSE: [ TRUE ]
        SUB TREE ONLY: [ FALSE ]
        MAX CHILDREN: [ 0 ]
        CONTEXT ID: [ 1 ]
        USER ID: [ 0 ]
        USER NAME: [ user ]

[ZAP Jenkins Plugin] SPIDER SCAN THE SITE [ https://localhost:8080/webui ] AS USER [ User ]

7983 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on Context: SecurityTest at Mon Oct 05 10:06:27 EDT 2020
7989 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...

[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]

8023 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
8023 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Scan will be performed from the point of view of User: fred
8044 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: user
8274 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...
8278 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true

[ZAP Jenkins Plugin] AJAX SPIDER ENABLED [ FALSE ]
    SKIP AXAJ SPIDER FOR THE SITE [ https://localhost:8080/webui ]

[ZAP Jenkins Plugin] ACTIVE SCAN ENABLED [ FALSE ]
    SKIP ACTIVE SCAN FOR THE SITE [ https://localhost:8080/webui ]

[ZAP Jenkins Plugin] CLEAR WORKSPACE OF PREVIOUS REPORT(S) [ FALSE ]
    SKIP CLEARING WORKSPACE

[ZAP Jenkins Plugin] GENERATE REPORT(S) [ TRUE ]
    [ XML ] SAVED TO [ C:\Program Files (x86)\Jenkins\workspace\JENKINS_ZAP_VULNERABILITY_REPORT_34.xml ]
    [ HTML ] SAVED TO [ C:\Program Files (x86)\Jenkins\workspace\JENKINS_ZAP_VULNERABILITY_REPORT_34.html ]

[ZAP Jenkins Plugin] CREATE JIRA ISSUES [ FALSE ]
    SKIP CREATING JIRA ISSUES

[ZAP Jenkins Plugin] SUMMARY...
    ALERTS COUNT [ 0 ]
    MESSAGES COUNT [ 5 ]

[ZAP Jenkins Plugin] SHUTDOWN [ START ]
1
jenkinsowaspzap

1 Answers

0
votes

Dont try to debug authentication problems with ZAP on Jenkins unless there are no other alternatives. Do that using the ZAP desktop - that way you can see whats going on. Authentication is hard - see the ADDO Workshop videos on https://www.alldaydevops.com/zap-in-ten I go into a lot of detail on them.