Disable a rule via yaml in automation framework
317 views
Skip to first unread message
Kostas Georgiadis
Mar 29, 2022, 9:50:53 AM3/29/22
to OWASP ZAP User Group
Hello,
I'm using the automation framework via the cli and trying to disable the
dom xss scan which takes very long.
In my `zap.yaml` file I have the following bit when configuring the active scan:
```
rules:- id: 40026
name: "Cross Site Scripting (DOM Based)"
threshold: "Off"
strength: "Low"
```
I have verified that this setting is getting properly passed to the
active scan settings, but it is ignored when the scan runs.
Maybe I'm missing something, but when setting the `threshold` to 'Off', shouldn't
this rule be skipped?
Thanks!
Simon Bennetts
Mar 29, 2022, 10:18:25 AM3/29/22
to OWASP ZAP User Group
Hiya,
Have you defined a policy?
As per https://www.zaproxy.org/docs/desktop/addons/automation-framework/job-ascan/ the "policyDefinition" is only used if the 'policy' is not set.
Cheers,
Simon
Kostas Georgiadis
Mar 30, 2022, 10:10:51 AM3/30/22
to OWASP ZAP User Group
Hello Simon,
rules:
- id: 40026
name: "Cross Site Scripting (DOM Based)"
threshold: "Off"
strength: "Low"
no, policy is empty.
This is the active scan config part:
```
- type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
parameters:
context: # String: Name of the context to attack, default: first context
policy: # String: Name of the scan policy to be used, default: Default Policy
maxRuleDurationInMins: 5 # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 0 # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: 3 # Int: The max number of threads per host, default: 2
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: Low # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: Medium # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
parameters:
context: # String: Name of the context to attack, default: first context
policy: # String: Name of the scan policy to be used, default: Default Policy
maxRuleDurationInMins: 5 # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 0 # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: 3 # Int: The max number of threads per host, default: 2
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: Low # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: Medium # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules:
- id: 40026
name: "Cross Site Scripting (DOM Based)"
threshold: "Off"
strength: "Low"
```
Thanks!
Kostas
Simon Bennetts
Mar 31, 2022, 4:49:15 AM3/31/22
to OWASP ZAP User Group
Hi Kostas,
Thats weird - I'll try it out here and report back here what I find...
Cheers,
Simon
Simon Bennetts
Apr 5, 2022, 6:20:02 AM4/5/22
to OWASP ZAP User Group
Sorry, I've had to focus on other things (like Spring4Shell;) and have only just got back to this.
But I tried it out quickly and I seem to be getting the same result as you - the DOM XSS rule runs even though it should be disabled.
I'll investigate more and let you know what I find...
Cheers,
Simon
Simon Bennetts
Apr 5, 2022, 8:02:41 AM4/5/22
to OWASP ZAP User Group
Its a bug!
Once this has been approved and merged we'll generate a new AF release.
Cheers,
Simon
Simon Bennetts
Apr 5, 2022, 10:24:02 AM4/5/22
to OWASP ZAP User Group
The Automation Framework has been released with the fix for this bug.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages