Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: specify minimum severity #9

Open
hazcod opened this issue Aug 15, 2020 · 6 comments
Open

Feature: specify minimum severity #9

hazcod opened this issue Aug 15, 2020 · 6 comments
Labels
enhancement New feature or request

Comments

@hazcod
Copy link

hazcod commented Aug 15, 2020

Since ZAP vulnerability scans can generate a lot of issues, it might be nice to be able to e.g. ignore any LOW or INFO vulnerabilities. (so that issues are not created)

e.g.

jobs:
  zap_scan_public:
    runs-on: ubuntu-latest
    name: Scan public website
    steps:
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          issue_title: Vulnerability Scan Results
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: owasp/zap2docker-weekly
          target: https://ironpeak.be/
          rules_file_name: .github/zap.ignore
          cmd_options: '-a -s MEDIUM'
@kingthorin kingthorin added the enhancement New feature or request label Aug 15, 2020
@psiinon
Copy link
Member

psiinon commented Aug 17, 2020

You can effectively already do this by setting any rules you are not interested in to IGNORE in your rules file. This is a finer grain control, but will have the same effect. I worry that creating too many options will make the action harder to understand and therefore less useful.

@fguisso
Copy link

fguisso commented Mar 12, 2021

Can you create an info page here or in ZAP docs with all rules? I found that, but I need to run the scan in my local machine and get the ´gen.conf´. Maybe with it in docs, we can help more people that don't know the ZAP profoundly.

I don't know if rules are updated weekly, in this case, we need some actions to update the docs every time that a rule is added.

My gen.conf generate today:

# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0	WARN	(Directory Browsing - Active/release)
10003	WARN	(Vulnerable JS Library - Passive/release)
10010	WARN	(Cookie No HttpOnly Flag - Passive/release)
10011	WARN	(Cookie Without Secure Flag - Passive/release)
10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set - Passive/release)
10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019	WARN	(Content-Type Header Missing - Passive/release)
10020	WARN	(X-Frame-Options Header - Passive/release)
10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
10023	WARN	(Information Disclosure - Debug Error Messages - Passive/release)
10024	WARN	(Information Disclosure - Sensitive Information in URL - Passive/release)
10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026	WARN	(HTTP Parameter Override - Passive/beta)
10027	WARN	(Information Disclosure - Suspicious Comments - Passive/release)
10028	WARN	(Open Redirect - Passive/beta)
10029	WARN	(Cookie Poisoning - Passive/beta)
10030	WARN	(User Controllable Charset - Passive/beta)
10031	WARN	(User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032	WARN	(Viewstate - Passive/release)
10033	WARN	(Directory Browsing - Passive/beta)
10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035	WARN	(Strict-Transport-Security Header - Passive/beta)
10036	WARN	(HTTP Server Response Header - Passive/beta)
10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038	WARN	(Content Security Policy (CSP) Header Not Set - Passive/beta)
10039	WARN	(X-Backend-Server Header Information Leak - Passive/beta)
10040	WARN	(Secure Pages Include Mixed Content - Passive/release)
10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043	WARN	(User Controllable JavaScript Event (XSS) - Passive/beta)
10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/release)
10047	WARN	(HTTPS Content Available via HTTP - Active/beta)
10048	WARN	(Remote Code Execution - Shell Shock - Active/beta)
10050	WARN	(Retrieved from Cache - Passive/beta)
10051	WARN	(Relative Path Confusion - Active/beta)
10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053	WARN	(Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054	WARN	(Cookie Without SameSite Attribute - Passive/release)
10055	WARN	(CSP - Passive/release)
10056	WARN	(X-Debug-Token Information Leak - Passive/release)
10057	WARN	(Username Hash Found - Passive/release)
10058	WARN	(GET for POST - Active/beta)
10061	WARN	(X-AspNet-Version Response Header - Passive/release)
10062	WARN	(PII Disclosure - Passive/beta)
10095	WARN	(Backup File Disclosure - Active/beta)
10096	WARN	(Timestamp Disclosure - Passive/release)
10097	WARN	(Hash Disclosure - Passive/beta)
10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
10104	WARN	(User Agent Fuzzer - Active/beta)
10105	WARN	(Weak Authentication Method - Passive/release)
10106	WARN	(HTTP Only Site - Active/beta)
10107	WARN	(Httpoxy - Proxy Header Misuse - Active/beta)
10108	WARN	(Reverse Tabnabbing - Passive/beta)
10109	WARN	(Modern Web Application - Passive/beta)
10202	WARN	(Absence of Anti-CSRF Tokens - Passive/release)
2	WARN	(Private IP Disclosure - Passive/release)
20012	WARN	(Anti-CSRF Tokens Check - Active/beta)
20014	WARN	(HTTP Parameter Pollution - Active/beta)
20015	WARN	(Heartbleed OpenSSL Vulnerability - Active/beta)
20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
20017	WARN	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018	WARN	(Remote Code Execution - CVE-2012-1823 - Active/beta)
20019	WARN	(External Redirect - Active/release)
3	WARN	(Session ID in URL Rewrite - Passive/release)
30001	WARN	(Buffer Overflow - Active/release)
30002	WARN	(Format String Error - Active/release)
30003	WARN	(Integer Overflow Error - Active/beta)
40003	WARN	(CRLF Injection - Active/release)
40008	WARN	(Parameter Tampering - Active/release)
40009	WARN	(Server Side Include - Active/release)
40012	WARN	(Cross Site Scripting (Reflected) - Active/release)
40013	WARN	(Session Fixation - Active/beta)
40014	WARN	(Cross Site Scripting (Persistent) - Active/release)
40016	WARN	(Cross Site Scripting (Persistent) - Prime - Active/release)
40017	WARN	(Cross Site Scripting (Persistent) - Spider - Active/release)
40018	WARN	(SQL Injection - Active/release)
40019	WARN	(SQL Injection - MySQL - Active/beta)
40020	WARN	(SQL Injection - Hypersonic SQL - Active/beta)
40021	WARN	(SQL Injection - Oracle - Active/beta)
40022	WARN	(SQL Injection - PostgreSQL - Active/beta)
40023	WARN	(Possible Username Enumeration - Active/beta)
40024	WARN	(SQL Injection - SQLite - Active/beta)
40025	WARN	(Proxy Disclosure - Active/beta)
40026	WARN	(Cross Site Scripting (DOM Based) - Active/beta)
40027	WARN	(SQL Injection - MsSQL - Active/beta)
40028	WARN	(ELMAH Information Leak - Active/release)
40029	WARN	(Trace.axd Information Leak - Active/beta)
40032	WARN	(.htaccess Information Leak - Active/release)
40034	WARN	(.env Information Leak - Active/beta)
40035	WARN	(Hidden File Finder - Active/beta)
41	WARN	(Source Code Disclosure - Git  - Active/beta)
42	WARN	(Source Code Disclosure - SVN - Active/beta)
43	WARN	(Source Code Disclosure - File Inclusion - Active/beta)
50000	WARN	(Script Active Scan Rules - Active/release)
50001	WARN	(Script Passive Scan Rules - Passive/release)
6	WARN	(Path Traversal - Active/release)
7	WARN	(Remote File Inclusion - Active/release)
90001	WARN	(Insecure JSF ViewState - Passive/release)
90011	WARN	(Charset Mismatch - Passive/release)
90017	WARN	(XSLT Injection - Active/beta)
90019	WARN	(Server Side Code Injection - Active/release)
90020	WARN	(Remote OS Command Injection - Active/release)
90021	WARN	(XPath Injection - Active/beta)
90022	WARN	(Application Error Disclosure - Passive/release)
90023	WARN	(XML External Entity Attack - Active/beta)
90024	WARN	(Generic Padding Oracle - Active/beta)
90025	WARN	(Expression Language Injection - Active/beta)
90026	WARN	(SOAP Action Spoofing - Active/alpha)
90027	WARN	(Cookie Slack Detector - Active/beta)
90028	WARN	(Insecure HTTP Method - Active/beta)
90029	WARN	(SOAP XML Injection - Active/alpha)
90030	WARN	(WSDL File Detection - Passive/alpha)
90033	WARN	(Loosely Scoped Cookie - Passive/release)
90034	WARN	(Cloud Metadata Potentially Exposed - Active/beta)

@thc202
Copy link
Member

thc202 commented Mar 12, 2021

You mean like this one https://www.zaproxy.org/docs/alerts/ ?

@fguisso
Copy link

fguisso commented Mar 13, 2021

Exactly, thanks! Can you add this link in GH Actions please?

@marvelredddy
Copy link

How can i report after i get alerts. Actually Bug bounty Platforms need Impact with POC . How can i report. Any suggestions.

@kingthorin
Copy link
Member

kingthorin commented Apr 22, 2024
edited
Loading

In that case you're the "expert" not ZAP.

Also the User Group is a much better place for discussion not our issue tracker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Milestone
No milestone
Development

No branches or pull requests
6 participants
@psiinon @thc202 @hazcod @fguisso @kingthorin @marvelredddy