Unable to Start active scan (ascan) on given context with Zap Proxy - zap

Was trying to automate zap proxy scan on website. Below is my flow
Start Zap proxy
Create new session (/JSON/core/action/newSession/?apikey=12345&name=NewSession&overwrite=true)
Create new Context (/JSON/context/action/newContext/?apikey=12345&contextName=NewContext)
Add include and exclude regex URL patterns to context ( /JSON/context/action/setContextRegexs/?apikey=12345&contextName=NewContext&incRegexs=[https://myowsapjuiceshop.herokuapp.com/*]&excRegexs=[^(?:(?!http.*://myowsapjuiceshop.herokuapp.com).*).$])
Add technologies to context (/JSON/context/action/includeContextTechnologies/?apikey=12345&contextName=NewContext&technologyNames=Db.MySQL%2CLanguage.Java%2COS.Linux%2CWS.Tomcat)
Run UI tests with proxy set
Run active scan (/JSON/ascan/action/scan/?apikey=12345&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2 ) // 2 is correct contextID
Wait for active scan to complete (/JSON/ascan/view/status/?apikey=12345&scanId=5 ) // 5 is scan ID that I should be getting from step 7 ( run active scan response)
Get Alerts json (/JSON/alert/view/alerts/?apikey=12345&baseurl=&start=&count=&riskId=)
Everything is fine till step 7 and Im stuck at step 7. Based on the documentation "Runs the active scanner against the given URL and/or Context....". I was of the understanding that I can run active scan against a context and URL is optional when ContextId is mentioned.
But, When I hit the api to run active scan with correct apikey and contextId /JSON/ascan/action/scan/?apikey=12345&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2
Response is {"code":"missing_parameter","message":"Missing Parameter"}
Im getting below error in zap logs
1581054 [ZAP-ProxyThread-65] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/action/scan/] from [127.0.0.1]:
Missing Parameter (missing_parameter) : url
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:874)
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:369)
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
at java.lang.Thread.run(Thread.java:748)
I want to run active ascan on all the URLs recorded which match include and exclude regex I have set on context. Any help would be greatly appreciated.

Have you defined any URLs in your context?
If so, are any of those URLs in the Sites tree?

Related

How to execute API update password in jMeter Load test

I'm a newbie with jMeter. I would to ask opinion and guide from forum to point me to right direction. I've have been tasked to do Load test on API Update Password. I have try several approach I can think off plus with the info from internet, but failed to have successful execution.
Below is my most successful approach but still failed after 3-5 minutes execution.
Test Plan
CSV Data Set Config - (Default setting, contain 500 member id's)
Thread Group (Setting: 100vu/100s, Loop: Infinite, Duration: 1 hour)
Counter1 (Old Password) example: abc001
Counter2 (New Password) example: abc002
Http Request (Get Token) {
Old Password
Member Id } --> Send token to next http request
Http Request (Update Password) {
Old Password
New Password
Confirm New Password }
The both Counter have increment of 1 and checked for Track counter independently for each user.
Based on my logic, it should be able to handle the execution as below.
Member1 (abc001,abc002) > Member1 (abc002,abc003) > Member1 (abc003,abc004) > etc
But in reality if failed. I also have try using JSR223 for counter, but still failed. Please help me by pointing me to correct direction how to execute this. I hope anyone can help! Thanks
In its current form your question doesn't make a lot of sense, it's unclear to me what is expected behaviour, what is the actual one, how exactly your test is failing and so on.
Try running it with Debug Sampler added so you would see the JMeter Variables with their respective values.
If it doesn't help - come up with a minimal test plan which shows the issue you're having using i.e. Dummy Sampler and indicate what's wrong and how it should behave according to your expectations.

I am automating a login script for perdormance teating in j meter

I want to make script using jmeter for performance testing of login page . The authorization type is code and code challenge method is sh256. How could I fetch code challenge code verifier and state or noance values daynamically.
The script is successfull for 1 single user but failing for multiple can any one help? Also I am using blazemeter to record script..
The process of "fetching" dynamic values is known as correlation and there is a lot of information on the topic in the Internet, i.e. How to Handle Correlation in JMeter
The main steps are:
Use a suitable JMeter Post-Processor to extract a dynamic value from the response into a JMeter Variable
Replace recorded hard-coded value with the JMeter Variable from the previous step

Does Import.io api support status of the extractor?

I've just created an extractor with import.io. This extractor uses chaining. Firstly I'm extracting some urls from one page and with these extracted urls, I'm extracting detail pages. When detail pages' extraction finish, I want to get the results. But how can I be sure that extraction is completed. Is there any api endpoint for checking the status of extraction?
I found "GET /store/connector/{id}" endpoint from legacy. But when I try this, I got 404. You can take a look at the screenshot.
Another question is, I want to schedule my extractor twice a day. Is this possible?
Thanks
Associated with each Extractor are Crawl Runs. A crawl run represents the running of an extractor with a specific configuration (training, list of URLs, etc). The state of each of a crawl run can have one of the following values:
STARTED => Currently running
CANCELLED => Started but cancelled by the user
FINISHED => Run was complete
Additional metadata that is included is as follows:
Started At - When the run started
Stopped At - When the run finished
Total URL Count - Total number of URLs in the run
Success URL Count - # of successful URLs queried
Failed URL Count - # of failed URLs queried
Row Count - Total number of rows returned in the run
The REST API to get the list of craw runs associated with an extractor is as follows:
curl -s X GET "https://store.import.io/store/crawlrun/_search?_sort=_meta.creationTimestamp&_page=1&_perPage=30&extractorId=$EXTRACTOR_ID&_apikey=$IMPORT_IO_API_KEY"
where
$EXTRACTOR_ID - Extractor to list crawl runs
$IMPORT_IO_API_KEY - Import.io API from your account

SoapUI dataSource illegal character in authority

I am trying to use an external dataSource in SoapUI to send some basic GET http requests to a number of nodes, and i get "Illegal character in authority at index 7".
What i have setup.
1x dataSource (external file > excel):
The nodes setup appears to be correct (its called "nodes") > column required is called "node".
Getting the rows from the datafile from the dataSource options appear to be working correctly.
1x HTTP request
GET request, URL is: http://${nodes#node}:2040/api/doSometimes
I know i need to add the loop at the end, however the HTTP request isn't working with the first node yet, so i'll do the loop once the request works.
The error i get when trying to run the HTTP request:
Sun Aug 10 11:20:18 IDT 2014:ERROR:An error occurred [Illegal character in authority at index 7: http://XXX.XXX.XXX.XXX /api/doSomething], see error log for details (where XXX.XXX.XXX.XXX is the first ADDRESS from the nodes#node file). -- Also notice its missing the port.
The error log sais: Sun Aug 10 11:29:25 IDT 2014:ERROR:java.lang.NullPointerException
Clarification: we do not have a WSDL available, however the service does reply to different queries. /api/sendID WILL return the ID. I want to get all IDS from all NODES in the file.
Any ideas what i can do to mend this ?
Used a preset REST request which included the required parameters. Used standard testsuite > added the request port directly in the datasource #node which appeared to be causing the issue.

jmeter help - test around polling /w meta refresh

I am new to jmeter and am working on putting together a test plan. The hurdle I've encountered is as follows:
First, a POST is made to processForm.aspx
Then, the user is redirected to pleaseWait.aspx
This page either redirects immediately to results.aspx OR loads, with a META REFRESH tag set to refresh in 5 seconds (and this step is repeated).
Now -- I can get this to execute by doing the following:
HTTP Sampler POST to processForm.aspx
Assert Response contains "<something on pleaseWait.aspx>"
While LAST
HTTP Sampler GET to pleaseWait.aspx
Assert Response contains "<something on results.aspx>"
However -- I don't care for this method, because it results in failed assertions (even though things are working as expected). I am sure there must be some other way to do this? Anyone more familiar with JMeter than I?
UPDATE:
Got it going by using Regular Expression Extractor instead of Assertions.
1) Add a User Defined Variables section at Test Plan Root
2) Add a variable to it "LoginWait" and "false"
HTTP Sampler POST to processForm.aspx
RegEx Extract Response Body contains "<something on pleaseWait.aspx>" into LoginWait
While ${LoginWait}
HTTP Sampler GET to pleaseWait.aspx
RegEx Extract Response Body contains "<something on pleaseWait.aspx>" into LoginWait
...
You could try using "follow redirects" on your HTTP Request. It would eliminate the logic you need, and still get you to the page you're going.