Forum Discussion

PedroCollado's avatar
PedroCollado
Icon for Bronze II rankBronze II
13 days ago

Introduction to OWASP ZAP

I'm completely stuck with this one  I can see in the robots.txt  that there's a disallow page as /checkout  but it seems that this page doesn't exists.. What i'm missing? any hint?   
application security
help & support
  • AtakanBal's avatar
    AtakanBal
    12 days ago

    So, your mistake is that you assume the "/checkout" page is the draft checkout page you are looking for but its not

    In order to find the correct page, you are expected to perform a ZAP spider attack. Authentication configurations should be there because only then ZAP will be able to fully crawl the website. After that if you look at the resources ZAP finds carefully, the correct URL should be there

    Regarding configuring the ZAP for this Briefing section should guide you

AtakanBal's avatar
AtakanBal
Icon for Bronze III rankBronze III

To find the hidden checkout page you need to perform a spider attack with authentication settings in place

PedroCollado's avatar
PedroCollado
Icon for Bronze II rankBronze II
12 days ago

Maybe I'm getting all this wrong, but I think that the problem is that the requested page does not exists at all

Let me elaborate this a little bit more... in the lab tasks we have two pages to investigate:

/useful_admin_stuff

/chekout

You suggests that this is a problem of authentication, in this case I would get a 302 or 308, like is happening with the  /useful_admin_stuff, where I can circumvent once the authentication is solved 

 

But for  /checkout

I'm just getting a 404 error like if the page doesn't exists 

 

 

 

So? Is still something that I'm doing wrong  or is the lab missing a page that should be there?

 

  • AtakanBal's avatar
    AtakanBal
    Icon for Bronze III rankBronze III
    12 days ago

    So, your mistake is that you assume the "/checkout" page is the draft checkout page you are looking for but its not

    In order to find the correct page, you are expected to perform a ZAP spider attack. Authentication configurations should be there because only then ZAP will be able to fully crawl the website. After that if you look at the resources ZAP finds carefully, the correct URL should be there

    Regarding configuring the ZAP for this Briefing section should guide you

    • PedroCollado's avatar
      PedroCollado
      Icon for Bronze II rankBronze II
      12 days ago

      Thank you, I managed to find what I needed but just by inspecting the source code of the basket, TBH I was expecting to ZAP find the target url itself by checking the Parse HTML comments in the advanced option of the spider.. but that wasn't the case. 

      So Lab finished but still having the feeling that it was not because ZAP was correctly configured😅

      • KieranRowley's avatar
        KieranRowley
        Icon for Community Manager rankCommunity Manager
        12 days ago

        PedroCollado there are often multiple ways to complete a lab,  I'm glad to see you found one!

        If you found AtakanBal's reply useful, please don't forget to mark it as a Solution ✅

        Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.