I’m very new to ZAP so I’m sure there are obvious things I’m not understanding here.
I have a React app that I’m trying to scan in my corporate environment.
When I use the quick start and point at my site I get the error message:
Failed to attack the URL: received a 404 response code, expected 2xx
If I use the manual scan option I can see the site, I also get the HUD and can (to my knowledge) perform any of the tasks.
I have checked the ZAP.log file and can’t see any issues.
I am running:
- Linux Ubuntu 22.04.3 box
- Java 21.0.2
- ZAP 2.14.0
- There is no proxy on my network
- There is a self-signed certificate for the site I’m testing
- I can SSLPoke the site with no issues
- There is only one Java version installed
- Site is considered secure by Firefox
- I have installed a version of Firefox outside of snap install
- I have set Selenium options to point to this version of Firefox
- I have set the proxy of this browser to localhost:8080 including SSL sites
- In Tools->Options->Network->Connection I have tried enabling unsafe SSL/TLS negotiation
- The site being tested is running in a k8s cluster, the site can be viewed from Firefox with no issue
- I’ve read the docs on connecting in corporate environments and FAQ on working with self-signed certificates to no avail.
Can anyone point me in the right direction?
2
Answers
I believe I have found the culprit. No idea why (yet) but the VITE react site returns a 404 before actually loading the site. ZAP hits the 404 first and then doesn't continue on. I'm tipping that if the first response wasn't a 404 then the scan would have been fine.
A 404 response means the page is not found: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/404
The ZAP Quick Start scan will not run if the URL you specify is a 404 as its usually not that useful.
Try opening the URL in a browser – what does it show you?
You can still run the ZAP spiders against URL that returns a 404 and then run the active scanner…