Issue with alert filters

198 views
Skip to first unread message

RaviH

unread,
Apr 26, 2022, 12:47:32 PM4/26/22
to OWASP ZAP User Group
Hi,

I m facing an issue with alert filters as it is unable to suppress few specific issues.

It is working for most of the issues(where pluginIds are unique) but for 3 specific alerts which are based on the same pluginId - the alert filtering is not working.

To be more specific, I have 3 medium alerts based on CSP(https://www.zaproxy.org/docs/alerts/10055/) that I am trying to mark as false positive but they still show up as medium.

What am I missing or is there any open bug causing this issue for us?

Thanks,
Ravi

kingthorin+owaspzap

unread,
Apr 26, 2022, 1:40:17 PM4/26/22
to OWASP ZAP User Group
Are you sure they're all related to 10055?

There's also 10038.

There also seems to be a CSP related passive scan script in the community-scripts repo/add-on.

RaviH

unread,
Apr 26, 2022, 2:50:24 PM4/26/22
to OWASP ZAP User Group
Yeah - that I am sure as I see 10055 as the pluginId for the 3 alerts on the zap xml report.

1. <pluginid>10055</pluginid>                        <alertRef>10055</alertRef>                        <alert>CSP: style-src unsafe-inline</alert>
2. <pluginid>10055</pluginid>                        <alertRef>10055</alertRef>                        <alert>CSP: Wildcard Directive</alert>
3. <pluginid>10055</pluginid>                        <alertRef>10055</alertRef>                        <alert>CSP: script-src unsafe-inline</alert>


kingthorin+owaspzap

unread,
Apr 26, 2022, 2:56:03 PM4/26/22
to OWASP ZAP User Group
How are you setting or applying the filter? What's your whole process.

RaviH

unread,
Apr 26, 2022, 3:24:15 PM4/26/22
to OWASP ZAP User Group
Just to make sure that we are on the same page... 
I have the alert filtering working for the most of it -- I am already able to suppress few alerts as false positives but have problem suppressing just these 3 specific alerts(with same pluginId) though.

Regarding the process at high level: 
1. We manage the alert filters in a json format that takes ruleId(pluginId) and newLevel(to suppress) values 
2. Then we run addalertfilter for each ruleId on the json file and for the specific contextId corresponding to the current scan
3. We run active scan  

kingthorin+owaspzap

unread,
Apr 26, 2022, 7:13:14 PM4/26/22
to OWASP ZAP User Group
The rule you're talking about is a passive scan rule, it would need to be applied before spidering or whatever exploration/proxying.

RaviH

unread,
Apr 28, 2022, 5:45:22 PM4/28/22
to OWASP ZAP User Group
That fixed the issue - I moved the step of adding alert filters to pre-passive-scan phase now and the suppression is properly working. 
Thanks for the help.
Reply all
Reply to author
Forward
0 new messages