skip to Main Content

I’m very new to ZAP so I’m sure there are obvious things I’m not understanding here.

I have a React app that I’m trying to scan in my corporate environment.

When I use the quick start and point at my site I get the error message:
Failed to attack the URL: received a 404 response code, expected 2xx

If I use the manual scan option I can see the site, I also get the HUD and can (to my knowledge) perform any of the tasks.

I have checked the ZAP.log file and can’t see any issues.
I am running:

  • Linux Ubuntu 22.04.3 box
  • Java 21.0.2
  • ZAP 2.14.0
  • There is no proxy on my network
  • There is a self-signed certificate for the site I’m testing
  • I can SSLPoke the site with no issues
  • There is only one Java version installed
  • Site is considered secure by Firefox
  • I have installed a version of Firefox outside of snap install
  • I have set Selenium options to point to this version of Firefox
  • I have set the proxy of this browser to localhost:8080 including SSL sites
  • In Tools->Options->Network->Connection I have tried enabling unsafe SSL/TLS negotiation
  • The site being tested is running in a k8s cluster, the site can be viewed from Firefox with no issue
  • I’ve read the docs on connecting in corporate environments and FAQ on working with self-signed certificates to no avail.

Can anyone point me in the right direction?

2

Answers


  1. Chosen as BEST ANSWER

    I believe I have found the culprit. No idea why (yet) but the VITE react site returns a 404 before actually loading the site. ZAP hits the 404 first and then doesn't continue on. I'm tipping that if the first response wasn't a 404 then the scan would have been fine.


  2. A 404 response means the page is not found: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/404
    The ZAP Quick Start scan will not run if the URL you specify is a 404 as its usually not that useful.
    Try opening the URL in a browser – what does it show you?
    You can still run the ZAP spiders against URL that returns a 404 and then run the active scanner…

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search