Regarding ZAP - ALPHA and BETA Scan Rules
248 views
Skip to first unread message
Ram Narayan
Oct 19, 2018, 10:56:08 AM10/19/18
to OWASP ZAP User Group
Hi,
1. I wanted to check whether ZAP - ALPHA and BETA Scan Rules can be used for scanning and any disadvantages that may have apart from scan time which takes longer when included these rules
2. Why ALPHA and BETA scan rules aren't released in ZAP by default and why these need to be imported via addons?
Regards
Simon Bennetts
Oct 19, 2018, 11:02:37 AM10/19/18
to OWASP ZAP User Group
The add-on statuses are described in the help: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAddons#add-ons
- Release which indicates they are of high quality and fit for purpose
- Beta which indicates they are of reasonable quality but may be incomplete or need further testing
- Alpha which indicates they are at an early stage of development
So basically, beta scan rules might be less accurate than release ones, and alpha ones even more so.
Having said that we havnt been very good at promoting rules, so some of the beta and alpha ones could probably be promoted.
Does that answer your question?
Cheers,
Simon
Ram Narayan
Oct 19, 2018, 11:10:05 AM10/19/18
to OWASP ZAP User Group
Hi SImon Bennetts
Thanks for your reply. Yes, it does answer my question and probably it will be great if some rules if tested are being moved to release from ALPHA or BETA
Thanks for your reply. Yes, it does answer my question and probably it will be great if some rules if tested are being moved to release from ALPHA or BETA
How can I contribute for developing or testing scan rules?
Kind Regards
Simon Bennetts
Oct 19, 2018, 11:47:48 AM10/19/18
to OWASP ZAP User Group
Any help you can give would be very much appreciated!
We made a decision a while ago to only promote rules with good unit tests.
Most of the passive rules should have unit tests, but not so many of the active scan rules.
If the rules you'd like promoted have unit tests then you can just raise an issue asking for the rule(s) to be promoted - if you've also tested then on other sites then let us know that as well.
If you'd like rules promoted that dont have any unit tests then please write some :)
There are various examples around - just ask if you need any pointers.
We actually have some bounties on passive scan unit tests, so you (or anyone else) could make a bit of money implementing them:)
We planned to offer bounties on the active scan rule unit tests too but didnt get around to it.
Would bounties encourage you or anyone else to implement them? If so we'll look into putting those bounties up asap :)
- https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html
- https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html
The core team is pretty overloaded, but we'll do our best to answer development questions as in the end the more people who help out the better!
Looking forward to your contributions :)
Many thanks,
Simon
kingthorin+owaspzap
Oct 19, 2018, 4:55:01 PM10/19/18
to OWASP ZAP User Group
Feel free to tackle any if these https://github.com/zaproxy/zaproxy/labels/promo
thc...@gmail.com
Oct 19, 2018, 5:02:07 PM10/19/18
to zaprox...@googlegroups.com
It might worth waiting for the merge of the branches (I know that we
have been waiting an eternity for that but we are closer), it will be a
lot cleaner if done in the same branch.
Best regards.
have been waiting an eternity for that but we are closer), it will be a
lot cleaner if done in the same branch.
Best regards.
Reply all
Reply to author
Forward
0 new messages