How to disable scan policies

[Albert]

How can I disable scan policies/rules in the active/passive scanner? 

I basically want to fine tune the alerts and try to identify false positives or maybe just scan on single specific domains (injection,XSS etc..)

[Albert]

Hi,

I managed to do it with the Scan Policy dialog. And persist the changes.

[Albert]

Here come a bit different question:

How can I disable passive scanning rules when running ZAP in daemon mode? 

[ryerson...@gmail.com]

Posting multiple times, makes one think that someone is already helping you :)

I'm not sure about daemon mode but have you looked at the options menu? You can change the passive rules there, maybe that will help.

[Albert]

Yes, I have looked there. 

What it happens is that I change them disabling all passive rules (Tools>Options>Passive Scan Rules Set all to OFF) in the menu. They persist, so if i start ZAP again they are as I set them. 

But when I run ZAP in daemon mode, In the report I get passive rules potential vulnerabilities, like HTTP headears etc... 

Seems that to start daemon mode with your own configuration you need something else. 

[psiinon]

ZAP always persists its configuration in a config.xml file, whether you use the UI or daemon modes.
This file is in the 'default' location (https://github.com/zaproxy/zaproxy/wiki/FAQconfig) unless you change that using the -dir command line option.

If you want to always start ZAP with all passive scan rules disabled then you can:

• Start the ZAP UI specifying a new directory (eg "./zap.sh -dir nopscan" )
• Turn off all of the passive scan rules via the options
• Exit the UI
• Copy the nopscan/config.xml file somewhere safe (eg save/config.xml
  

Then to use that in daemon mode:

• Create a new runtime directory each time (or empty an existing one) (mkdir daemon-dir )
• Copy the saved config into it (cp save/config.xml daemon-dir )
• Run ZAP specifying that directory ( ./zap.sh -dir daemon-dir -daemon )

You can set anything in the config.xml file via the -config command line option.

So if you want you can specify the directory (and therefore saved config.xml file) but also enable specific passive scan rules.

To work out what values to use see this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQconfigValues

Does that do what you want?

Cheers,

Simon

[Albert]

Hi Simon,

Yes give me a close idea of what is going on. But I have a open question.
By default the directory used for ZAP is ~/.ZAP. If I look at the config.xml file there after I set all the passive scans to OFF looks like this:

Shouldn't the ZAP daemon by default use this config.xml file as well and have then the Pscans disabled?

Alternatively can I do -config org.zaproxy.extension.pscan.scanner.ScriptsPassiveScanner.enabled=false  ?


<pscanrules>
<ApplicationErrorScanner>
<enabled>false</enabled>
<level>OFF</level>
</ApplicationErrorScanner>
<CacheControlScanner>
<enabled>false</enabled>
<level>OFF</level>
</CacheControlScanner>
<ContentTypeMissingScanner>
<enabled>false</enabled>
<level>OFF</level>
</ContentTypeMissingScanner>
<CookieHttpOnlyScanner>
<enabled>false</enabled>
<level>OFF</level>
</CookieHttpOnlyScanner>
<CookieSecureFlagScanner>
<enabled>false</enabled>
<level>OFF</level>
</CookieSecureFlagScanner>
<CrossDomainScriptInclusionScanner>
<enabled>false</enabled>
<level>OFF</level>
</CrossDomainScriptInclusionScanner>
<HeaderXssProtectionScanner>
<enabled>false</enabled>
<level>OFF</level>
</HeaderXssProtectionScanner>
<MixedContentScanner>
<enabled>false</enabled>
<level>OFF</level>
</MixedContentScanner>
<PasswordAutocompleteScanner>
<enabled>false</enabled>
<level>OFF</level>
</PasswordAutocompleteScanner>
<TestInfoPrivateAddressDisclosure>
<enabled>false</enabled>
<level>OFF</level>
</TestInfoPrivateAddressDisclosure>
<TestInfoSessionIdURL>
<enabled>false</enabled>
<level>OFF</level>
</TestInfoSessionIdURL>
<XContentTypeOptionsScanner>
<enabled>false</enabled>
<level>OFF</level>
</XContentTypeOptionsScanner>
<XFrameOptionScanner>
<enabled>false</enabled>
<level>OFF</level>
</XFrameOptionScanner>
</pscanrules>

[psiinon]

Yes give me a close idea of what is going on. But I have a open question.
By default the directory used for ZAP is ~/.ZAP. If I look at the config.xml file there after I set all the passive scans to OFF looks like this:

Shouldn't the ZAP daemon by default use this config.xml file as well and have then the Pscans disabled?

Yes, it should.
Is that not the case?

 

Alternatively can I do -config org.zaproxy.extension.pscan.scanner.ScriptsPassiveScanner.enabled=false  ?

The -config parameters only match to the XML config values, as per https://github.com/zaproxy/zaproxy/wiki/FAQconfigValues
If ZAP doesnt set a value (as a result of an action in the UI or API) then it wont read that value.

Cheers,

Simon
 

[Albert]

Hi Simon,

My ZAP is launched with the following command from Jenkins:

/opt/ZAP_2.4.3/zap.sh -daemon -host localhost -port 8500 -config api.key=ZAPROXY-PLUGIN -config scanner.defaultPolicy=InjectionPolicy.policy

which means that will use the default ~/.ZAP directory where the config.xml lives and have the pscans set  OFF as I listed before.

I created a policy that only runs injection attacks as you can see in the launch command parameters.

However the final report contains pscan alerts such:

X-Frame-Options Header Not Set
Application Error Disclosureror Disclosure
Web Browser XSS Protection Not Enabled
X-Content-Type-Options Header Missing
Password Autocomplete in browser
Private IP Disclosure

which i would expect not to be listed with the config.xml setup i listed. I am right?

[psiinon]

That looks like a bug then :(
Can you raise an issue: https://github.com/zaproxy/zaproxy/issues/new

Cheers,

Simon