Context Alert Rules
203 views
Skip to first unread message
psiinon
Aug 25, 2015, 8:47:53 AM8/25/15
to OWASP ZAP Developer Group
This relates to Issue #1843 : Allow users to specify a list of alerts to ignore
My proposal is to introduce "Context Alert Rules" which will allow the user to override the risk level of any alerts raised within a specified context.
There will be a new Context page ("Alert rules"?) which will show a table of all of the alert rules, with the usual Add, Modify and Delete buttons.
Add and Modify will show an Alert Rule dialog, something like:
+-------------------------------------------------------+
| Add Alert Rule |
+-------------------------------------------------------+
| Alert: [ Cross Site Scripting (Reflected) v] |
| URL Regex: [ http://www.example.com/xssfp ] |
| Parameter: [ abc ] |
| New Risk: [ False Positive v] |
+-------------------------------------------------------+
| [ Cancel ] [ Add ] |
+-------------------------------------------------------+
Where the Alert is a pull down of all of the valid alerts, and New Risk one of: High, Medium, Low, Info, False Positive.
Parameter will be optional, but if supplied must match exactly.
If an alert is raised during active/passive scanning for a URL in a Context and matches one of those rules then the Risk will be changed accordingly.
There will also be a right click option in the Alerts tab if the URL is in a Context, eg "Create Alert Rule for Context: aaa".
The idea is that this allows you to automatically flag false positives.
It will also allow you to 'ignore' known problems by setting the Risk to Info.
As a side effect it will also allow you to raise or lower the risk level if you want.
The data will be saved in the Context file, and loaded when that context is loaded.
There will also be full control of all aspects of this via the API.
The plan is for this to be a new add-on, and hopefully it can work with 2.4.1.
I'd also like to introduce the concept of 'expected alerts', which could be based on this functionality. These would be very useful for testing ZAP against 'benchmark' apps.
But thats a future phase ;)
Feedback appreciated :)
Simon
My proposal is to introduce "Context Alert Rules" which will allow the user to override the risk level of any alerts raised within a specified context.
There will be a new Context page ("Alert rules"?) which will show a table of all of the alert rules, with the usual Add, Modify and Delete buttons.
Add and Modify will show an Alert Rule dialog, something like:
+-------------------------------------------------------+
| Add Alert Rule |
+-------------------------------------------------------+
| Alert: [ Cross Site Scripting (Reflected) v] |
| URL Regex: [ http://www.example.com/xssfp ] |
| Parameter: [ abc ] |
| New Risk: [ False Positive v] |
+-------------------------------------------------------+
| [ Cancel ] [ Add ] |
+-------------------------------------------------------+
Where the Alert is a pull down of all of the valid alerts, and New Risk one of: High, Medium, Low, Info, False Positive.
Parameter will be optional, but if supplied must match exactly.
If an alert is raised during active/passive scanning for a URL in a Context and matches one of those rules then the Risk will be changed accordingly.
There will also be a right click option in the Alerts tab if the URL is in a Context, eg "Create Alert Rule for Context: aaa".
The idea is that this allows you to automatically flag false positives.
It will also allow you to 'ignore' known problems by setting the Risk to Info.
As a side effect it will also allow you to raise or lower the risk level if you want.
The data will be saved in the Context file, and loaded when that context is loaded.
There will also be full control of all aspects of this via the API.
The plan is for this to be a new add-on, and hopefully it can work with 2.4.1.
I'd also like to introduce the concept of 'expected alerts', which could be based on this functionality. These would be very useful for testing ZAP against 'benchmark' apps.
But thats a future phase ;)
Feedback appreciated :)
Simon
Dave Hunt
Aug 25, 2015, 9:43:06 AM8/25/15
to OWASP ZAP Developer Group
This sounds fine to me. I'd be interested to understand how we'd install and configure this addon. In my scenario I'm downloading ZAP as a custom tool in Jenkins and using the ZAProxy plugin to configure and start the proxy.
psiinon
Aug 25, 2015, 9:46:55 AM8/25/15
to OWASP ZAP Developer Group
Yes, it would be really useful to be able to do things like download ZAP add-ons and other such configs via the ZAProxy Jenkins plugin.
Need to look into that :/
Need to look into that :/
psiinon
Sep 4, 2015, 12:17:35 PM9/4/15
to OWASP ZAP Developer Group
I've just committed the first cut of the code here: https://github.com/zaproxy/zap-extensions/tree/alpha/src/org/zaproxy/zap/extension/alertFilters
We're also in the middle of releasing 2.4.2, so I probably _wont_ release the 'alertFilters' add-on until 2.4.2 is released, which will hopefully be early next week.
But if you fancy building it from the source code please give a spin :)
Cheers,
Simon
We're also in the middle of releasing 2.4.2, so I probably _wont_ release the 'alertFilters' add-on until 2.4.2 is released, which will hopefully be early next week.
But if you fancy building it from the source code please give a spin :)
Cheers,
Simon
On Tuesday, 25 August 2015 13:47:53 UTC+1, psiinon wrote:
Reply all
Reply to author
Forward
0 new messages