ZAP alerting on block page

[James L]

Greetings,

I often have zap alert on block pages for rejected requests. To suppress these alerts I have tried adding a custom page to match something along the lines of

<html><head><title>Request Rejected</title></head><body>.*

When I do this nothing seems to be flagged as a custom page. Am I going about this the wrong way? 

[kingthorin+zap]

Custom Page definitions wouldn't apply retro-actively. Can you be more specific about your steps and config?

[James L]

Thank you for the response, I'll have to try another scan with the custom page defined before scanning. This is what my custom page settings look like:

The reason I am trying to do this is to limit alerts that are triggered on the block page... there are headers missing within the block page that cause an alert, but the block page is out of scope because my developers don't have control over it.

[Simon Bennetts]

Custom pages are not there to prevent alerts, they are there to help understand the meaning of the pages better.

I think alert filters might make more sense in your case: https://www.zaproxy.org/docs/desktop/addons/alert-filters/

But also see https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/

Obviously in this case you dont need to report the problem to us as its just something that is our of scope for you.

Unless I'm misunderstanding the situation?

Cheers,

Simon

[James L]

Thank you Simon,

I think you are understanding the situation. The url does not change when the block page is injected, so I was hoping to be able to flag the content of the page to filter out the alert. I might be looking for the evidence filter. I'm going to see if applying an evidence filter for the alerts resolves my situation.

Thanks again!

-James