ZAP Action - Access Control Vulnerability
61 views
Skip to first unread message
Dafne Moretti
Jun 10, 2024, 10:17:11 PMJun 10
to ZAP User Group
HI, I'm using the ZAP action in my CI/CD pipeline, as provided by the github actions marketplace (https://github.com/marketplace/actions/zap-baseline-scan)
However, I need the tool to identify critical risk vulnerabilities related to access control, as stated in the documentation (https://www.zaproxy.org/docs/alerts/10102/)
Even though it doesn't say so in the documentation, after researching a lot, I identified that it is an add-on feature.
I would like to know: How can I add this feature to my pipeline? Would it be in cmd_command?
Is there a way to do this?
I'm in doubt because the README of the official ZAP repository doesn't say how to do this via the command line, only via the UI, at the link https://github.com/zaproxy/zap-extensions .
I'm using:
- name: ZAP Scan
uses: zaproxy/action-...@v0.12.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'https://www.zaproxy.org'
rules_file_name: '.zap/rules.tsv'
cmd_options: >
- addoninstall accessControl
Is this right?
In my app I provoque the access control vulnerability by changing the URL id. For example: https://localhost:3000/1 and the user without permission can change it to https://localhost:3000/2 to see another user's data. But, using this, I dont have any alert telling me that.
Can you help me with this issue?
However, I need the tool to identify critical risk vulnerabilities related to access control, as stated in the documentation (https://www.zaproxy.org/docs/alerts/10102/)
Even though it doesn't say so in the documentation, after researching a lot, I identified that it is an add-on feature.
I would like to know: How can I add this feature to my pipeline? Would it be in cmd_command?
Is there a way to do this?
I'm in doubt because the README of the official ZAP repository doesn't say how to do this via the command line, only via the UI, at the link https://github.com/zaproxy/zap-extensions .
I'm using:
- name: ZAP Scan
uses: zaproxy/action-...@v0.12.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'https://www.zaproxy.org'
rules_file_name: '.zap/rules.tsv'
cmd_options: >
- addoninstall accessControl
Is this right?
In my app I provoque the access control vulnerability by changing the URL id. For example: https://localhost:3000/1 and the user without permission can change it to https://localhost:3000/2 to see another user's data. But, using this, I dont have any alert telling me that.
Can you help me with this issue?
Simon Bennetts
Jun 17, 2024, 10:52:21 AMJun 17
to ZAP User Group
Hiya,
The Access Control add-on is an alpha quality add-on, and supports the GUI and the API as per the help page https://www.zaproxy.org/docs/desktop/addons/access-control-testing/
It is not currently usable via the packaged scans or the Automation Framework.
Cheers,
Simon
Dafne Moretti
Jun 21, 2024, 12:13:14 PM (11 days ago) Jun 21
to ZAP User Group
Thank you Simon,
Is there a way to use authentication to check access control through the ZAP action in the CI/CD pipeline?
Simon Bennetts
Jun 27, 2024, 12:00:29 PM (5 days ago) Jun 27
to ZAP User Group
No, I'm afraid not.
Thats something I'd love to add...
Dafne Moretti
Jun 27, 2024, 1:48:26 PM (5 days ago) Jun 27
to ZAP User Group
Ok! Thank you Simon.
Reply all
Reply to author
Forward
0 new messages