Active and Passive rule configuration

[psiinon]

I'm planning on adding the ability to configure active and passive scan rules.
A couple of examples where this could be useful:

• For timing attacks all of the current rules that do this use a hardcoded delay of 5 seconds. For slow applications and networks this is often too short. Being able to set this to a user-defined value should significantly reduce false positives.
• There are some cases where anti CSRF tokens on forms really arent that useful, eg on search forms. Being able to flag specific forms as not requiring anti CSRF tokens would again reduce false positives.

Note that while false positives are annoying when manual testing, they can (and should) be manually checked and discarded.
However when performing automated testing they become much more of a problem.
I think we should be able to tune ZAP for specific applications and then be sure that it wont raise false positives without having to set blanket exclusions.

So .. my plan to fix this is to support active and passive rule configs.
There are 3 places where we could add such configurations:

• The main ZAP config file - this is global
• The scan policies - these currently only apply to active scan rules
• The contexts
  

The easiest option is adding them to the main config file - these can then be configured via a new options pane as well as being set via the command line.

I like the idea of adding them to scan policies and/or contexts, but these will require more work, and for contexts will require more processing to determine which contexts the URL being scanned is in.

I was therefore going to leave these for now - they could still be added in the future.

Any thoughts or feedback?

And any suggestions for other rules you would like to be able to configure?

I dont think that this is a good option for configuring reflected/persistent XSS or SQL injection attacks, as detecting whether these are successful is definitely non trivial.

However we could use it for configuring DOM XSS attacks as we can tokenize the actual attack (such as "alert(id)" or an API callback) and therefore know for certain if they are successful.

Cheers,

Simon

[kingthorin+owaspzap]

I like this idea. I'll put some thought into other scanners that could be configured this way.

[psiinon]

The latest weekly release now has support for scan rules.
To use them open the Options dialog and select "Rule Configuration".
There are currently 2 rules:

• Key: rules.common.sleep
• Default: 5
• Description: The length of time in seconds used for timing attacks

• Key: rules.csrf.ignorelist
• Default: ""
• Description: A comma separated list of identifiers. Any FORMs with a name or ID that matches one of these identifiers will be ignored when scanning for missing anti CSRF tokens. Only use this feature to ignore FORMs that you know are safe, for example search forms.

These can also be set via the command line in the usual way (-config "rules.common.sleep=20") and via the API.

Please have a play with these and let me know if they work ok for you.

And also let me know of oter things you would like to be able to configure in the active and passive rules.

Cheers,

Simon