Imported URL's not marking to false positive

[Thoni A]

Hi All,

I am importing list of URL'S after creating a new context. Here the problem I see with the  alertfilter. When I mark these imported URL's to false positive it is marking to false positive from the ZAP UI. When the scan runs from the daemon mode these imported URLs are not marking as false positive. 

If I am not wrong when we  import a list of URL's, the URL's will fall under the site tree. 

These imported URL's are also included in the context. 

I am not sure here what I am missing.

Can anyone suggest me how to fix this problem to mark the alertfilter to false positive for imported URL's ??

Thanks

Thoni

[Simon Bennetts]

How are you marking them as FPs?

If you are just changing then in the alerts tree then this only affects the alerts already found, it does not change alerts that are found in the future.

In order to flag alerts as false positives automatically you will need to use Alert Filters.

Also see this FAQ: https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/

Cheers,

Simon

[Thoni A]

HI Simon, thank you for writing back.

I am marking alertfilter by adding a context alertfilter through API call before running the passive and active scan 

The following API CALL I used to create a context alertfilter.

curl http://$Host:$Port/JSON/alertFilter/action/addAlertFilter/?apikey=$APIKEY\&formMethod=POST\&contextId=1\&ruleId=40018\&newLevel=-1\&url=.*.js\&urlIsRegex=true\&parameter=\&enabled=true\&parameterIsRegex=\&attack=\&attackIsRegex=\&evidence=\&evidenceIsRegex=

Is there anything I am missing ?

[kingthorin+owaspzap]

It's probably an order of operations thing. You don't run a passive scan, it takes place when you spider or proxy traffic.

[Thoni A]

Hi,

I had tested without running passive scan. I ran only active scan. 

If I run only active scan alerts are not moving to false positive.

Here is the order I'M following :

# Alertfilter

curl http://$Host:$Port/JSON/alertFilter/action/addAlertFilter/?apikey=$APIKEY\&formMethod=POST\&contextId=1\&ruleId=40018\&newLevel=-1\&url=.*.js\&urlIsRegex=true\&parameter=\&enabled=true\&parameterIsRegex=\&attack=\&attackIsRegex=\&evidence=\&evidenceIsRegex=

# To start the Spider scan
curl http://$Host:$Port/JSON/spider/action/scan/?apikey=$APIKEY\&url=https://test.com\&maxChildren=\&recurse=true\&contextName=$contextname\&subtreeOnly=

# To start the AJAX Spider for RATING
curl http://$Host:$Port/JSON/ajaxSpider/action/scan/?apikey=$APIKEY\&url=https://test.com\&inScope=true\&contextName=$contextname\&subtreeOnly=

# To start the the active scan
curl http://$Host:$Port/JSON/ascan/action/scan/?apikey=$APIKEY\&formMethod=POST\&url=\&recurse=true\&inScopeOnly=true\&scanPolicyName=\&method=\&postData=\&contextId=1

I still see the same problem only the imported URL's are not marking to false positive.

Is there anything I'M missing still? if not, any solution to fix the above issue?

Thanks,

Thoni

[Simon Bennetts]

The passive scanner always runs (unless you disable every single passive scan rule) - the urls found by the spider will be passively scanned.

It looks like you are doing things in the right order, ie adding the alert filter before starting the spider.

But if thats all you are doing then you've made a mistake - the alert filter you've created applies to context 1 and it doesnt look like you've added your site to that context.

You need to add your site to the context that the alert filter applies to or change the alert filter to be global.

Cheers,

Simon

[Thoni A]

Hi Simon! thanks for your response.

Here is the session configuration script I am using:

/usr/share/apps/zap/zap.sh -daemon -host $Host -port $Port -config api.key=$APIKEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true > ${WORKSPACE}/zap_log &

# To Create a newContext
curl http://$Host:$Port/JSON/context/action/newContext/?apikey=$APIKEY\&formMethod=POST\&contextName=$contextname

# To add in Include context
curl http://$Host:$Port/JSON/context/action/includeInContext/?apikey=$APIKEY\&contextName=$contextname\&regex=https://test.com/.*

# Alertfilter
curl http://$Host:$Port/JSON/alertFilter/action/addAlertFilter/?apikey=$APIKEY\&formMethod=POST\&contextId=1\&ruleId=40018\&newLevel=-1\&url=.*.js\&urlIsRegex=true\&parameter=\&enabled=true\&parameterIsRegex=\&attack=\&attackIsRegex=\&evidence=\&evidenceIsRegex=

# To start the Spider scan

curl http://$Host:$Port/JSON/spider/action/scan/?apikey=$APIKEY\&url=$Rating_URL\&maxChildren=\&recurse=true\&contextName=$contextname\&subtreeOnly=

# To start the AJAX Spider for RATING
curl http://$Host:$Port/JSON/ajaxSpider/action/scan/?apikey=$APIKEY\&url=https://test.com\&inScope=true\&contextName=$contextname\&subtreeOnly=

# To start the the active scan
curl http://$Host:$Port/JSON/ascan/action/scan/?apikey=$APIKEY\&formMethod=POST\&url=\&recurse=true\&inScopeOnly=true\&scanPolicyName=\&method=\&postData=\&contextId=1

# To Generate the HTML report
curl http://$Host:$Port/OTHER/core/other/htmlreport/?apikey=$APIKEY\&formMethod=GET > reports/zap_test &

# To save the session name=/path/to/test.session
echo saving the session in Jenkins workspace
curl http://$Host:$Port/JSON/core/action/saveSession/?apikey=$APIKEY\&formMethod=POST\&name=${WORKSPACE}/zap_test

sleep 5

echo sleeping for 2 minutes
sleep 115

#Shutdown
echo shutting down the zap session
curl http://$Host:$Port/JSON/core/action/shutdown/?apikey=$APIKEY\&formMethod=POST

Here I am adding my main URL(https://test.com) to include in context as regex.
I am importing the 3 url's to the site tree that follows the regex as per the URL that is already in the context.
Main URL: https://test.com
imported URL's:
https://test.com/global/Integration/update/
https://test.com/test/app
https://test.com/rest/auth/ByAppId/123456789

Do the above import urls that I am uploading into the site tree need to be added to the context as well to mark appropriate using context based alertfilter?
If Yes, Is there a way to add a file contains URL's to the context or it need to be done manually by each URL?

Thanks,

Thoni