False Positive for Repeated Scanning

135 views
Skip to first unread message

Lia

unread,
Oct 22, 2024, 5:16:44 AMOct 22
to ZAP User Group
Hi there!

I want to implement the below flow for ZAP scan via ZAP Desktop GUI:

a) Perform a ZAP scan on website
b) Perform code fixes based on generated report
c) Mark alert as false positive (if any)
d) Repeat above steps with the same session file which I have marked the false positive

For the above flow, I'm wondering if it is correct for me to keep reusing the same session file for each scan after performing code fixes as I have mark the false positive in the specific session file? 

I went through this link but am unsure if this is the correct way 

Thank you

Lia

unread,
Oct 23, 2024, 11:12:39 PMOct 23
to ZAP User Group
Hi guys, 

Wondering if you can advise on this please?

Thank you.

Simon Bennetts

unread,
Oct 24, 2024, 12:12:07 PMOct 24
to ZAP User Group
Hi Lia,

Pro tip - I answer messages to the User Group based on the oldest message I see that has not been replied to.
By asking for updates you're actually delaying me from getting your messages :)
If no one has replied for over a week then yes, it is worth asking for an update in case its slipped through the net.

I would advice against using the same session file - it will just keep growing and will take longer and longer to load (we have an open issue about that;).

To be honest I'm a bit confused by what you have said
If you have applied code fixes then that implies they were True Positives, not False ones?
If they are True Positives then you should not mark them as False Positives.
If you have fixed them properly then ZAP should not raise new alerts when you test the fixed code.

For real False Positives, as per the FAQ - let us know the details and we can hopefully fix them:)
If not then you can just configure Alert Filters to automatically change them to false positives.
In the desktop just right click on the alert and "Create Alert Filter...".
You can create global ones to apply to everything, or context ones and then save the context. You can then load the context when you restart ZAP.

Cheers,

Simon

Lia

unread,
Oct 25, 2024, 6:55:01 AMOct 25
to ZAP User Group
Hi Simon!

Thanks for the tip haha. I'll keep that in mind :')

From what I understand from my senior colleagues, if the same alerts details keeps appearing regarding the same files and fixes has definitely been applied in that file for that specific alert, after discussion with the other engineers they would want to mark it as False Positive. This is so that the generated report will have lesser things and easier for us to focus on each categories. 


Noted that you advise against using back the same session files.
Hence can I ask for your advice if I were to do the scanning like the below flow?

1. Create session and context
2. Configure alert filter
3. Do backup (clean session file)
4. Perform active scan
5. Reuse back the backup session file for second active scan after code fixes.

Thank you!

Simon Bennetts

unread,
Oct 25, 2024, 8:59:02 AMOct 25
to ZAP User Group
Thats your choice, but I'd definitely recommend double checking that they are not True Positives :D

Re your proposed workflow - I would use the Automation Framework (AF), even if you want to run it in the ZAP desktop.
You can configure the context and alert filters in an AF plan, and then you dont need to mess around with backing up and restoring sessions.
You can even configure the AF to automatically load the last plan when you restart ZAP.

Cheers,

Simon

Lia

unread,
Oct 28, 2024, 6:09:46 AMOct 28
to ZAP User Group
Noted, and thanks for the advice!

Regarding the automation framework, do I understand it correct:
Basically after creating a session file and configuring the context , alert filter etc. , we then just keep running the same session file via AF plan?
But after performing the active scan, the file size of the session file would be different right compared to the file before scan?

Hence dont we still need to change the session file in the path which we specified in AF manually with a "clean" session file?

Do correct me if I'm wrong though, thanks Simon

psiinon

unread,
Oct 29, 2024, 5:42:07 AMOct 29
to zaprox...@googlegroups.com
No, you do not keep using the same session file.
The AF plan defines everything ZAP will need to scan the target.
By default ZAP will always create a new session file, so just dont specify an old one.

Cheers,

Simon

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/6048e5a6-17a1-41bb-a828-8beaf9955a2dn%40googlegroups.com.


--
ZAP Project leader

Lia

unread,
Nov 25, 2024, 4:05:15 AM (9 days ago) Nov 25
to ZAP User Group
Hi Simon,

Another question, if I use the AF plan and use the command line to create new session and run the scan, is there a way to specify the database cache size?

Previously when I first started using ZAP to run the scan via GUI, I always receive an error message saying something along the lines of "Have reached the limit of database file cache size: 32000"

Hence when I run the scan via GUI, I would always manually amend the original value from 32000 to 80000 in "session.script" file and the error message no longer shows in zap.log file.

Screenshot.png

Thank you!

Simon Bennetts

unread,
Nov 28, 2024, 6:21:06 AM (6 days ago) Nov 28
to ZAP User Group
Hiya,

No, the AF cannt change the database parameters. You will need to do that before invoking the AF plan.

Cheers,

Simon

Lia

unread,
Nov 29, 2024, 4:37:00 AM (5 days ago) Nov 29
to ZAP User Group
Hi Simon,

Sorry if I'm missing something, but i dont see anywhere to change it under Option > Database menu.
The command I use to run the AF plan is: 

.\zap.bat -cmd -addonupdate -autorun "C:\\Documents\DAST Scan Test Scan11\DAST_Test_Scan11.yaml" -newsession "C:\Documents\DAST Scan Test Scan11\DAST_Test_Scan11.session" -config network.connection.timeoutInSecs=120 -config network.connection.useGlobalHttpState=true -config rules.domxss.browserid=chrome-headless

Thanks!

Simon Bennetts

unread,
Nov 29, 2024, 12:28:35 PM (5 days ago) Nov 29
to ZAP User Group
Correct - it is not possible to change it via the ZAP options.
You will; need to change the session.script file before starting ZAP.

Cheers,

Simon

Lia

unread,
Dec 2, 2024, 3:49:48 AM (2 days ago) Dec 2
to ZAP User Group
Hi Simon,

I see, thanks for the confirmation.
Looks like there is no way for me to change beforehand then, as my command line is creating a new session.

Thanks again!

Reply all
Reply to author
Forward
0 new messages