Configuration File

[Karl Dalley]

I realize that all of the security rules are set to WARN by default in the configuration file.  I'm curious to know which tests do people typically set to FAIL and/or IGNORE for, actual, usage of ZAP in "real life" practice?

[kingthorin+owaspzap]

It would be app/environment specific. There isn't a one-size-fist-most answer that's why it's configurable.

[Simon Bennetts]

Heres the default baseline file we use at Mozilla - we tweak it for specific services:

# zap-baseline rule configuration file
# change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches
# only the rule identifiers are used - the names are just for info
2	IGNORE	(Private IP Disclosure)
10010	FAIL	(Cookie No HttpOnly Flag)
10011	FAIL	(Cookie Without Secure Flag)
10012	IGNORE	(Password Autocomplete in browser)
10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
10016	IGNORE	(Web Browser XSS Protection Not Enabled)
# Warn on 10017 for now, need to decide how to handle SRI's better
# 10017	FAIL	(Cross-Domain JavaScript Source File Inclusion)
10019	FAIL	(Content-Type Header Missing)
10020	FAIL	(X-Frame-Options Header Not Set)
10021	FAIL	(X-Content-Type-Options Header Missing)
10023	IGNORE	(Information Disclosure - Debug Error Messages)
10024	IGNORE	(Information Disclosure - Sensitive Informations in URL)
10025	IGNORE	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
10026	IGNORE	(HTTP Parameter Override)
10027	IGNORE	(Information Disclosure - Suspicious Comments)
10031	IGNORE	(User Controllable HTML Element Attribute - Potential XSS)
10034	FAIL	(Heartbleed OpenSSL Vulnerability (Indicative))
10035	FAIL	(Strict-Transport-Security Header Not Set)
10036	IGNORE	(Server Leaks Version Information via "Server" HTTP Response Header Field)
10037	IGNORE	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field)
10038	FAIL	(Content Security Policy (CSP) Header Not Set)
10039	IGNORE	(X-Backend-Server Header Information Leak)
10040	FAIL	(Secure Pages Include Mixed Content)
10049	IGNORE	(Storable and Cacheable Content)
10050	IGNORE	(Retrieved from Cache)
10052	FAIL	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
10057	IGNORE	(Username Hash Found)
10094	IGNORE	(Base64 Disclosure)
10096	IGNORE	(Timestamp Disclosure) 
10097	IGNORE	(Hash Disclosure) 
10098	FAIL	(Cross-Domain Misconfiguration)
10099	IGNORE	(Source Code Disclosure - SQL) 
10108	IGNORE	(Link uses _blank target)
10202	FAIL	(Absence of Anti-CSRF Tokens)
50001	INFO	(Script Passive Scan Rules)
# Previous ID, still in released version
40014	FAIL	(Absence of Anti-CSRF Tokens)


Cheers,

Simon

[Sarvesh Sonawane]

this is great info

could you please let me know the location of this config file

[Simon Bennetts]

Its in a private repo.

[Sarvesh Sonawane]

ohk...

is there any way we can have same thing into regular repo

just as suggestion, because it will give great control like Karl is expecting

[Simon Bennetts]

I'm not sure I really see the point I'm afraid.

We're maintaining our own version based on our current requirements.

We dont expect other people to have the same requirements or plan to maintain it for other peoples purposes.

Its easy to generate config files like that with all of the rules defaulted, so having one specific example somewhere doesnt add or remove any control.

Unless I'm missing something?