Configuring ZAP Active/Passive Rules
2,359 views
Skip to first unread message
Vaibhav Gupta
Mar 1, 2016, 2:55:13 AM3/1/16
to OWASP ZAP User Group
Hi All,
I am looking to create different policies for ZAP for discrete issues, example:
- Mixed Content
- X-Frame-Options
- Content Security Policy
- Cookie Flags
- Banner enumeration
- Vulnerable server stack
- Etc.
Can we configure ZAP scanning rules (both passive and active) to scan granularly for a particular issue? The tests under 'Scan Policy Manager' seems to be very broad.
Thanks,
Vaibhav
Vaibhav Gupta
Mar 1, 2016, 3:28:14 AM3/1/16
to OWASP ZAP User Group
Also, how to configure individual policies for the OWASP Top 10 vulnerabilities mentioned on this post:
Thanks,
Vaibhav
Simon Bennetts
Mar 1, 2016, 6:50:57 AM3/1/16
to OWASP ZAP User Group
Are you automating the scans or performing them manually?
If you are starting them manually then you can use the 'advanced' screens of the Active Scan dialog to choose any combination of rules you like: https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsAdvascan
If you need different policies for each rule then you can create them manually.
Cheers,
Simon
If you are starting them manually then you can use the 'advanced' screens of the Active Scan dialog to choose any combination of rules you like: https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsAdvascan
If you need different policies for each rule then you can create them manually.
Cheers,
Simon
Simon Bennetts
Mar 1, 2016, 6:53:17 AM3/1/16
to OWASP ZAP User Group
We dont currently categorise rules that apply to the OWASP Top Ten.
There is a proposal for doing so: https://groups.google.com/d/msg/zaproxy-develop/McCDEblUE88/Rk01X-4aDwAJ but right now you'll need to create your own 'OWASP Top 10' policy.
Cheers,
Simon
There is a proposal for doing so: https://groups.google.com/d/msg/zaproxy-develop/McCDEblUE88/Rk01X-4aDwAJ but right now you'll need to create your own 'OWASP Top 10' policy.
Cheers,
Simon
Albert
Mar 1, 2016, 9:57:45 AM3/1/16
to OWASP ZAP User Group
Hi Vaibhav,
I am facing the same situation.
For active scanner:
I been trying to work around it by creating different policies that only have one specific test enabled.
For example I run ZAP with a policy that has only the Server Security>Anti CSRF Tokens Scanner active scanner enabled. All the rest are set to OFF.
I can then create an automated test for CSRF.
However I am missing how to work out the next level or granularity. You can set a Threshold and Strength per rule, in that case the CSRF Token Scanner but how can I see or enable disable what checks this rule does?
kingthorin+owaspzap
Mar 1, 2016, 10:14:37 AM3/1/16
to OWASP ZAP User Group
You can't really enable/disable the checks a rule does.
You can modify it's behavior through settings strength and threshold:
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsScanpolicy#strength
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsPscanrules#threshold
The details of which should be in the help for the individual scanners. If it is not you'd have to review the code of the scanner.
The following wiki page outlines the guideline around strength vs # of requests:
https://github.com/zaproxy/zap-extensions/wiki/AddOnsBeta
You can modify it's behavior through settings strength and threshold:
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsScanpolicy#strength
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsPscanrules#threshold
The details of which should be in the help for the individual scanners. If it is not you'd have to review the code of the scanner.
The following wiki page outlines the guideline around strength vs # of requests:
https://github.com/zaproxy/zap-extensions/wiki/AddOnsBeta
Reply all
Reply to author
Forward
0 new messages