thank you for the quick reply,
This is what was created:
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication:
method: # String, one of 'manual', 'http', 'form', 'json' or 'script'
parameters: # May include any required for scripts. All of the parameters support vars except for the port
hostname: localhost # String, only for 'http' authentication
port: 8090 # Int, only for 'http' authentication
realm: # String, only for 'http' authentication
loginPageUrl: # String, the login page URL to read prior to making the request, only for 'form' or 'json' authentication
loginRequestUrl: # String, the login URL to request, only for 'form' or 'json' authentication
loginRequestBody: # String, the login request body - if not supplied a GET request will be used, only for 'form' or 'json' authentication
script: # String, path to script, only for 'script' authentication
scriptEngine: # String, the name of the script engine to use, only for 'script' authentication
verification:
method: # String, one of 'response', 'request', 'both', 'poll'
loggedInRegex: # String, regex pattern for determining if logged in
loggedOutRegex: # String, regex pattern for determining if logged out
pollFrequency: # Int, the poll frequency, only for 'poll' verification
pollUnits: # String, the poll units, one of 'requests', 'seconds', only for 'poll' verification
pollUrl: # String, the URL to poll, only for 'poll' verification
pollPostData: # String, post dat to include in the poll, only for 'poll' verification
pollAdditionalHeaders: # List of additional headers for poll request, only for 'poll' verification
- header: # The header name
value: # The header value
sessionManagement:
method: # String, one of 'cookie', 'http', 'script'
parameters: # List of 0 or more parameters - may include any required for scripts
script: # String, path to script, only for 'script' session management
scriptEngine: # String, the name of the script engine to use, only for 'script' session management
technology:
exclude: # List of tech to exclude, as per
https://www.zaproxy.org/techtags/ (just use last names)
users: # List of one or more users available to use for authentication
- name: # String, the name to be used by the jobs
credentials: # List of user credentials - may include any required for scripts, vars supported
username: # String, the username to use when authenticating
password: # String, the password to use when authenticating
vars: # List of 0 or more variables, can be used in urls and selected other parameters
parameters:
failOnError: true # If set exit on an error
failOnWarning: false # If set exit on a warning
progressToStdout: true # If set will write job progress to stdout
jobs:
- type: alertFilter # Used to change the risk levels of alerts
parameters:
deleteGlobalAlerts: true # Boolean, if true then will delete all existing global alerts, default false
alertFilters: # A list of alertFilters to be applied
- ruleId: # Int: Mandatory alert rule id
newRisk: # String: Mandatory new risk level, one of 'False Positive', 'Info', 'Low', 'Medium', 'High'
context: # String: Optional context name, if empty then a global alert filter will be created
url: # String: Optional string to match against the alert, supports environment vars
urlRegex: # Boolean: Optional, if true then the url is a regex
parameter: # String: Optional string to match against the alert parameter field
parameterRegex: # Boolean: Optional, if true then the parameter is a regex, supports environment vars
attack: # String: Optional string to match against the alert attack field
attackRegex: # Boolean: Optional, if true then the attack is a regex
evidence: # String: Optional string to match against the alert evidence field
evidenceRegex: # Boolean: Optional, if true then the evidence is a regex
- type: passiveScan-config # Passive scan configuration
parameters:
maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule
scanOnlyInScope: true # Bool: Only scan URLs in scope (recommended)
maxBodySizeInBytesToScan: # Int: Maximum body size to scan, default: 0 - will scan all messages
enableTags: false # Bool: Enable passive scan tags, default: false - enabling them can impact performance
disableAllRules: false # Bool: If true then will disable all rules before applying the settings in the rules section
rules: # A list of one or more passive scan rules and associated settings which override the defaults
- id: # Int: The rule id as per
https://www.zaproxy.org/docs/alerts/ name: # String: The name of the rule for documentation purposes - this is not required or actually used
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
- type: script
parameters:
action: # String: The executed action - available actions: add, remove, run, enable, disable
type: # String: The type of the script
engine: # String: The script engine to use - can be used to override the default engine for the file extension
name: # String: The name of the script, defaults to the file name
file: # String: The full or relative file path, must be readable
target: # String: The URL to be invoked for "targeted" script type
- type: requestor # Used to send specific requests to targets
parameters:
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of headers
# - "header1:value1"
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
- type: graphql # GraphQL definition import
parameters:
endpoint: # String: the endpoint URL, default: null, no schema is imported
schemaUrl: # String: URL pointing to a GraphQL Schema, default: null, import using introspection on endpoint
schemaFile: # String: Local file path of a GraphQL Schema, default: null, import using schemaUrl
maxQueryDepth: # Int: The maximum query generation depth, default: 5
lenientMaxQueryDepthEnabled: # Bool: Whether or not Maximum Query Depth is enforced leniently, default: true
maxAdditionalQueryDepth: # Int: The maximum additional query generation depth (used if enforced leniently), default: 5
maxArgsDepth: # Int: The maximum arguments generation depth, default: 5
optionalArgsEnabled: # Bool: Whether or not Optional Arguments should be specified, default: true
argsType: # Enum [inline, variables, both]: How arguments are specified, default: both
querySplitType: # Enum [leaf, root_field, operation]: The level for which a single query is generated, default: leaf
requestMethod: # Enum [post_json, post_graphql, get]: The request method, default: post_json
- type: openapi # OpenAPI definition import
parameters:
apiFile: # String: Local file containing the OpenAPI definition, default: null, no definition will be imported
apiUrl: # String: URL containing the OpenAPI definition, default: null, no definition will be imported
context: # String: Context to use when importing the OpenAPI definition, default: null, no context will be used
targetUrl: # String: URL which overrides the target defined in the definition, default: null, the target will not be overridden
- type: soap # SOAP WSDL import
parameters:
wsdlFile: # String: Local file path of the WSDL, default: null, no definition will be imported
wsdlUrl: # String: URL pointing to the WSDL, default: null, no definition will be imported
- type: spider # The traditional spider - fast but doesnt handle modern apps so well
parameters:
context: # String: Name of the context to spider, default: first context
user: # String: An optional user to use for authentication, must be defined in the env
url: # String: Url to start spidering from, default: first context URL
maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDepth: # Int: The maximum tree depth to explore, default 5
maxChildren: # Int: The maximum number of children to add to each node in the tree
acceptCookies: # Bool: Whether the spider will accept cookies, default: true
handleODataParametersVisited: # Bool: Whether the spider will handle OData responses, default: false
handleParameters: # Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all
maxParseSizeBytes: # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
parseComments: # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true
parseGit: # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false
parseDsStore: # Bool: Whether the spider will parse .DS_Store files in order to find URLs, default: false
parseRobotsTxt: # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true
parseSitemapXml: # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true
parseSVNEntries: # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false
postForm: # Bool: Whether the spider will submit POST forms, default: true
processForm: # Bool: Whether the spider will process forms, default: true
requestWaitTime: # Int: The time between the requests sent to a server in milliseconds, default: 200
sendRefererHeader: # Bool: Whether the spider will send the referer header, default: true
threadCount: # Int: The number of spider threads, default: 2
userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one
tests:
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'automation.spider.urls.added' # String: Name of an integer / long statistic, currently supported: 'automation.spider.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
- type: spiderAjax # The ajax spider - slower than the spider but handles modern apps well
parameters:
context: # String: Name of the context to spider, default: first context
url: # String: Url to start spidering from, default: first context URL
maxDuration: # Int: The max time in minutes the ajax spider will be allowed to run for, default: 0 unlimited
maxCrawlDepth: # Int: The max depth that the crawler can reach, default: 10, 0 is unlimited
numberOfBrowsers: # Int: The number of browsers the spider will use, more will be faster but will use up more memory, default: 1
runOnlyIfModern: # Boolean: If true then the spider will only run if a "modern app" alert is raised, default: false
inScopeOnly: # Boolean: If true then any URLs requested which are out of scope will be ignored, default: true
browserId: # String: Browser Id to use, default: firefox-headless
clickDefaultElems: # Bool: When enabled only click the default element: 'a', 'button' and input, default: true
clickElemsOnce: # Bool: When enabled only click each element once, default: true
eventWait: # Int: The time in milliseconds to wait after a client side event is fired, default: 1000
maxCrawlStates: # Int: The maximum number of crawl states the crawler should crawl, default: 0 unlimited
randomInputs: # Bool: When enabled random values will be entered into input element, default: true
reloadWait: # Int: The time in milliseconds to wait after the URL is loaded, default: 1000
elements: # A list of HTML elements to click - will be ignored unless clickDefaultElems is false
tests:
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'spiderAjax.urls.added' # String: Name of an integer / long statistic, currently supported: 'spiderAjax.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String [warn, error, info]: Change this to 'warn' or 'error' for the test to take effect
- type: delay # Pause the plan for a set period of time or event (file created, programmatic method called, API endpoint called)
parameters:
time: # String: The time to wait, format any of ['hh:mm:ss', 'mm:ss', 'ss'], default: 0
fileName: # String: Name of a file which will cause the job to end early if created, default: empty
- type: passiveScan-wait # Passive scan wait for the passive scanner to finish
parameters:
maxDuration: 5 # Int: The max time to wait for the passive scanner, default: 0 unlimited
tests:
- name: 'test one' # Name of the test, optional
type: alert # Specifies that the test is of type 'alert'
action: passIfPresent/passIfAbsent # String: The condition (presence/absence) of the alert, default: passIfAbsent
scanRuleId: # Integer: The id of the scanRule which generates the alert, mandatory
alertName: # String: The name of the alert generated, optional
url:
http://www.example.com/path # String: The url of the request corresponding to the alert generated, optional
method: # String: The method of the request corresponding to the alert generated, optional
attack: # String: The actual attack which generated the alert, optional
param: # String: The parameter which was modified to generate the alert, optional
evidence: # String: The evidence corresponding to the alert generated, optional
confidence: # String: The confidence of the alert, one of 'False Positive', 'Low', 'Medium', 'High', 'Confirmed', optional
risk: # String: The risk of the alert, one of 'Informational', 'Low', 'Medium', 'High', optional
otherInfo: # String: Addional information corresponding to the alert, optional
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
# - type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
# parameters:
# context: # String: Name of the context to attack, default: first context
# user: # String: An optional user to use for authentication, must be defined in the env
# policy: # String: Name of the scan policy to be used, default: Default Policy
# maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
# maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
# addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false
# defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
# delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
# handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
# injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
# scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
# threadPerHost: # Int: The max number of threads per host, default: 2
# policyDefinition: # The policy definition - only used if the 'policy' is not set
# defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
# defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
# rules: # A list of one or more active scan rules and associated settings which override the defaults
# - id: # Int: The rule id as per
https://www.zaproxy.org/docs/alerts/ # name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
# strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
# threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
# tests:
# - name: 'test one' # Name of the test, optional
# type: alert # Specifies that the test is of type 'alert'
# action: passIfPresent/passIfAbsent # String: The condition (presence/absence) of the alert, default: passIfAbsent
# scanRuleId: # Integer: The id of the scanRule which generates the alert, mandatory
# alertName: # String: The name of the alert generated, optional
# url:
http://www.example.com/path # String: The url of the request corresponding to the alert generated, optional
# method: # String: The method of the request corresponding to the alert generated, optional
# attack: # String: The actual attack which generated the alert, optional
# param: # String: The parameter which was modified to generate the alert, optional
# evidence: # String: The evidence corresponding to the alert generated, optional
# confidence: # String: The confidence of the alert, one of 'False Positive', 'Low', 'Medium', 'High', 'Confirmed', optional
# risk: # String: The risk of the alert, one of 'Informational', 'Low', 'Medium', 'High', optional
# otherInfo: # String: Addional information corresponding to the alert, optional
# onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
- type: outputSummary # Print summary to stdout, primarily to mimic the behaviour of the packaged scans
parameters:
format: None # String: The format of the output, one of None, Short, Long, default: None
summaryFile:
# String: The full path of a file into which will be written a JSON summary of the scan, default empty
- type: report # Report generation
parameters:
template: # String: The template id, default : modern
theme: # String: The template theme, default: the first theme defined for the template (if any)
reportDir: # String: The directory into which the report will be written
reportFile: # String: The report file name pattern, default: {{yyyy-MM-dd}}-ZAP-Report-[[site]]
reportTitle: # String: The report title
reportDescription: # String: The report description
displayReport: # Boolean: Display the report when generated, default: false
risks: # List: The risks to include in this report, default all
- high
- medium
- low
- info
confidences: # List: The confidences to include in this report, default all
- high
- medium
- low
- falsepositive
sections: # List: The template sections to include in this report - see the relevant template, default all
And I added the
- type: import #
parameters:
type: 'url' # String: One of ['har', 'modsec2', , 'zap_messages']
fileName: testZap # String: Name of the file containing the data
And now I run ./zap.sh -cmd -port 8090 -autorun zap.yaml
It starts working and then writes: Unexpected error accessing file /home/zap.yaml : null