setScannerAlertThreshold method does not work corectly

Oleksii Stashenko

unread,

May 29, 2020, 8:06:03 AM5/29/20

to OWASP ZAP User Group

Hi guys. I got some issue with setScannerAlertThreshold method.

I use owasp/zap2docker-weekly docker image.

I got following alerts in my report:

Low(Medium) - Cookie Without Secure Flag

and

Informational(Low) - Timestamp Disclosure - Unix

I tryied setScannerAlertThreshold("10011", LOW)(even with HIGH Thresholds) and this alert was not removed from my report

Regarding "Timestamp Disclosure - Unix" it disappers only in 1 case when i set threshold to HIGH setScannerAlertThreshold("10096", HIGH)

Threshold like OFF works for both of them btw

Please advice

Simon Bennetts

unread,

May 29, 2020, 8:32:13 AM5/29/20

to OWASP ZAP User Group

I think theres a misunderstanding here.

The passive scan threshold controls how ZAP is likely to report potential vulnerabilities

From https://www.zaproxy.org/docs/desktop/ui/dialogs/options/pscanrules/ :

If you select Off then the scanner won't run.
If you select Low then more potential issues will be raised which may increase the number of false positives.
If you select High then fewer potential issues will be raised which may mean that some real issues are missed (false negatives).

Selecting a Low threshold does _not_ mean that alerts raised at the low level will be hidden. How it impacts the findings are rule specific and should be detailed in the relevant help entry, eg se Charset Mismatch for an example of how the threshold can affect that rule.

In the case of cookies without the secure flag then this is almost certainly an accurate finding, but that does not mean that its necessarily a vulnerability for your application.

In this specific case you can use Rule Configurations: https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ruleconfig

If you add your cookie name to the rules.cookie.ignorelist key then this issue should no longer be reported.

Cheers,

Simon

Message has been deleted

Oleksii Stashenko

unread,

May 29, 2020, 9:48:00 AM5/29/20

to OWASP ZAP User Group

As I understood if Threshold is Low - then Low Medium And High issues can be reported. If Medium - then only Medium And High. If High - then High only

But i dont understande why if set Medium threshold for Informational(Low) "Timestamp Disclosure - Unix" - issue reported. But if set for it HIGH threshold - issue will be not reported

kingthorin+owaspzap

unread,

May 29, 2020, 10:21:50 AM5/29/20

to OWASP ZAP User Group

As I understood if Threshold is Low - then Low Medium And High issues can be reported. If Medium - then only Medium And High. If High - then High only

No, threshold does not impact the severity of results.

Threshold indicates your tolerance (or lack thereof) for potential False Positive/False Negative alerts.

https://www.zaproxy.org/docs/desktop/ui/dialogs/options/pscanrules/#threshold

Reply all

Reply to author

Forward