Trying to remove findings from reports

[Thomas Spear]

Hi,

We're scanning our dev and prod environments with zap2docker-weekly and want to remove findings from the scan report for rule ID 90003, for Subresource Integrity attributes missing for our dev environment where things are in a state of flux most of the time and the attributes get in the way more than anything.

I've tried the following:

1) Adding the ID to the ignore_scan_rules array in zap-full-scan.py

2) Changing the ID from WARN to IGNORE in the config

3) Reading the documentation and the code for the pscanrulesAlpha plugin to look for configuration flags I can use on the command line or a config file

I know that disabling the rule will prevent it from appearing in the reports, and that I can go in via the API or the GUI to disable the rule if the API is accessible.

We run the zap docker image in a kubernetes cron job which is setup to create the pod without external access in order to keep zap secure, and the pod terminates when the scan finishes because it is being run from a cron job, so there currently seems not to be a way to achieve this via the API in our setup.

Is there another method outside of the API to disable this scan rule given the steps I've tried from the documentation and various github issues haven't worked? We would prefer to be able to disable specific rules via either the command line or an environment variable over a config file, but any method will suffice as long as it can be used with a cronjob and we don't have to open a port to the pod.

Thanks in advance

[kingthorin+owaspzap]

There are a few options. Though I'm sure the team would love to hear why you can't simply use the API securely... You can control the originating IPs that can connect and set a strong key....

• Create a config in ZAP desktop that has the rule disabled and copy that wherever you need it.
• Create alert filters either for your context and export/copy/import the file wherever you need it.
• Generate the report in a format that post processing is easy (JSON or XML) and post process it to remove what you don't care about.

[Simon Bennetts]

This is a known problem with the packages scans - they filter alerts after they have been found in ZAP which is why they appear in the report.

We are in the process of migrating the packaged scan to the Automation Framework (AF): https://www.zaproxy.org/docs/automate/automation-framework/

This does not suffer from the same restrictions as it runs inside of ZAP.

We have started migrating the baseline scan but have not started on the full scan yet.

However you can use the AF directly - you can either create the yaml config file manually or via the ZAP desktop.

If you'd like some advice and guidance on that then just ask here.

Cheers,

Simon

[Thomas Spear]

Thanks for the tip with the automation framework, this looks like the way to go as its where you're migrating the scans to.

I am working on setting this up now and I need to find the ID of the addons that the full scan installs (pscanrulesAlpha and ascanrulesAlpha).

I looked at the marketplace, the code, and the documentation for those addons but I don't see an ID number anywhere that I can use in the ZAP desktop to tell the automation framework what to install.

What are the IDs for those 2 addons?

[Simon Bennetts]

The IDs for all of the add-ons are shown on the main Marketplace page: https://www.zaproxy.org/addons/ - second column :)

Cheers,

Simon

[Thomas Spear]

Thanks!

[Thomas Spear]

Sorry to be a pain. I tried entering 'ascanrulesAlpha' but it doesn't let me save it, the save button clicks but never saves or closes the dialog.

I also tried wrapping the string in single quotes as well as wrapping it in double quotes, but without any effect.

[Simon Bennetts]

Oh - that appears to be a bug!

I just tried it and got the same thing - stack trace is

java.lang.UnsupportedOperationException: null
        at java.util.AbstractList.add(AbstractList.java:148) ~[?:1.8.0_252]
        at java.util.AbstractList.add(AbstractList.java:108) ~[?:1.8.0_252]
        at org.zaproxy.addon.automation.gui.AddOnsTableModel.add(AddOnsTableModel.java:88) ~[?:?]
        at org.zaproxy.addon.automation.gui.AddAddOnsDialog.save(AddAddOnsDialog.java:45) ~[?:?]
        at org.zaproxy.zap.view.StandardFieldsDialog.savePressed(StandardFieldsDialog.java:427) ~[main/:?]
        at org.zaproxy.zap.view.StandardFieldsDialog.access$1(StandardFieldsDialog.java:417) ~[main/:?]
        at org.zaproxy.zap.view.StandardFieldsDialog$3.actionPerformed(StandardFieldsDialog.java:410) ~[main/:?]
        at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) ~[?:1.8.0_252]

I'll look at that asap.

In the meantime you can save the job and add the id to the yaml file using a standard text editor.

Cheers,

Simon

[Thomas Spear]

Ok great. I went ahead and filed https://github.com/zaproxy/zaproxy/issues/7075 to track the fix. Thank you. :)

[Thomas Spear]

I see the issue with the GUI was resolved this morning. Thanks for that!

[Thomas Spear]

I've managed to create the automation framework yaml file and make it available in the zap pod in the cluster, and it seems like it should work but I'm still having some challenges.

From looking at the python scripts for full and baseline scan I can see that zap is started with a proxy address set:

ZAPv2(proxies={'http': 'http://' + zap_ip + ':' + str(port), 'https': 'http://' + zap_ip + ':' + str(port)})

I didn't check the zap python module code but logically, when I run the full scan, I can see the connections to the proxy in the output like this:

2022-02-09 23:00:33,736 Starting new HTTP connection (1): localhost:50784

We run zap in a kubernetes cron job and the pod is started with this command:

zap-full-scan.py -t https://redacted.com/signin -d -j -I -a -g full-scan.conf -r full-scan-report.html

And the scan report generated at the end shows the site running in the cluster was scanned.

However, when I run zap with the automation framework config, it gets a 403 right away once it reaches the spider job and then zap exits.

I have no name!@dev-scan-manual-hcjhz:/zap/wrk$ zap.sh -cmd -dir "$(pwd)" -addonupdate

-snip-

Job addOns started

Add-on already installed: /zap/./plugin/ascanrulesBeta-beta-40.zap
Add-on already installed: /zap/./plugin/pscanrulesBeta-beta-29.zap
Add-on already installed: /zap/wrk/plugin/ascanrulesAlpha-alpha-35.zap
Add-on already installed: /zap/wrk/plugin/pscanrulesAlpha-alpha-35.zap
Job addOns finished
Job passiveScan-config started
Job passiveScan-config set rule 90,003 threshold to OFF
Job passiveScan-config finished
Job spider started
Job spider requesting URL https://redacted.com/signin
Job spider failed to access URL https://redacted.com/signin status code returned : 403 expected 200
Job spider test of type stats failed: At least 100 URLs found [0 < 100]
Job spider finished
Automation plan failures:
        Job spider failed to access URL https://redacted.com/signin status code returned : 403 expected 200

Is there something missing from the spider job in automation versus what the full and baseline scans are supposed to do? I've attached a redacted config below:

Thank you in advance.

env:
  contexts:
  - name: "Default Context"
    urls:
    - "https://redacted.com/signin"
    includePaths: []
    excludePaths: []
    authentication:
      parameters: {}
      verification:
        method: "response"
        pollFrequency: 60
        pollUnits: "requests"
    sessionManagement:
      method: "cookie"
      parameters: {}
  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true
  vars: {}
jobs:
- parameters:
    updateAddOns: false
  install:
  - ascanrulesBeta
  - pscanrulesBeta
  - ascanrulesAlpha
  - pscanrulesAlpha
  uninstall: []
  name: "addOns"
  type: "addOns"
- parameters:
    maxAlertsPerRule: 0
    scanOnlyInScope: true
    maxBodySizeInBytesToScan: 0
    enableTags: false
  rules:
  - id: 90003
    name: "Sub Resource Integrity Attribute Missing"
    threshold: "off"
  name: "passiveScan-config"
  type: "passiveScan-config"
- parameters:
    context: ""
    user: ""
    url: "https://redacted.com/signin"
    maxDuration: 0
    maxDepth: 0
    maxChildren: 0
  tests:
  - onFail: "INFO"
    statistic: "automation.spider.urls.added"
    site: ""
    operator: ">="
    value: 100
    name: "At least 100 URLs found"
    type: "stats"
  name: "spider"
  type: "spider"
- parameters:
    context: ""
    user: ""
    url: "https://redacted.com/signin"
    maxDuration: 0
    maxCrawlDepth: 0
    numberOfBrowsers: 0
  tests:
  - onFail: "INFO"
    statistic: "spiderAjax.urls.added"
    site: ""
    operator: ">="
    value: 100
    name: "At least 100 URLs found"
    type: "stats"
  name: "spiderAjax"
  type: "spiderAjax"
- parameters:
    maxDuration: 0
  name: "passiveScan-wait"
  type: "passiveScan-wait"
- parameters: {}
  policyDefinition:
    rules: []
  name: "activeScan"
  type: "activeScan"
- parameters:
    template: "risk-confidence-html"
    theme: "original"
    reportDir: "."
    reportFile: "full-scan-report.html"
    reportTitle: "ZAP Scanning Report"
    reportDescription: ""
    displayReport: false
  risks:
  - "low"
  - "medium"
  - "high"
  confidences:
  - "low"
  - "medium"
  - "high"
  - "confirmed"
  sections:
  - "siteRiskCounts"
  - "responseBody"
  - "appendix"
  - "alertTypes"
  - "responseHeader"
  - "alertTypeCounts"
  - "riskConfidenceCounts"
  - "alerts"
  - "aboutThisReport"
  - "contents"
  - "requestBody"
  - "reportDescription"
  - "reportParameters"
  - "requestHeader"
  - "summaries"
  name: "report"
  type: "report"

[Thomas Spear]

It may matter here, so I want to mention it.

The site I'm scanning in this case is a dev site and sits behind a WAF that restricts access from the outside to only certain IPs.
I haven't checked the WAF logs yet but I am almost positive that the 403 in the ZAP output I've shared is coming from the WAF.

I believe I need to change something in the automation framework config in order to reconcile the difference between how the automation framework is making the connection and how the full scan is making the connection, but I don't see any mentions of picking a proxy port in the automation framework config panels on ZAP desktop, whereas the full scan has the -P flag to specify the port for ZAP to bind to.

[Simon Bennetts]

The Automation Framework is just a way to control ZAP.

If it doesnt provide a configuration setting then you can just use the existing ZAP options, like "-port" as per https://www.zaproxy.org/docs/desktop/cmdline/

However thats the port ZAP is listenning on, which shouldnt make a difference as far as an outgoing WAF is concerned.

I think it would be worth checking the WAF logs if thats not too much of a pain - it would be good to know what its complaining about.

I know the AF and full scan will differ slightly but I'm surprised that it is having this effect, so it would be good to dig into...

Cheers,

Simon

[Thomas Spear]

Thanks, I ended up finding a solution so my question was moot.

We were not using default options with the full scan so I had to figure out which options in the automation framework corresponded to the flags we were using when starting the full scan, no big deal there.

Now that that's figured out, it works properly, with only some minor differences like some URLs missing in the generated report from the automation framework which were present on the full scan.

Is there any way to get the URLs from the report generated by the full scan to show up in the report generated by the automation framework?

The missing URLs are things like favicon.ico, sitemap.xml, and robots.txt.

I'm attaching examples of the summary and one of the findings from each of the generated reports to highlight the difference.

The automation framework yaml as it is currently configured can be found below in case it helps.

env:
  contexts:
  - name: "Default Context"
    urls:

    - "https://redacted.com/redacted"

    includePaths: []
    excludePaths: []
    authentication:
      parameters: {}
      verification:
        method: "response"
        pollFrequency: 60
        pollUnits: "requests"
    sessionManagement:
      method: "cookie"
      parameters: {}
  parameters:

    failOnError: false

    failOnWarning: false
    progressToStdout: true
  vars: {}
jobs:
- parameters:
    updateAddOns: false
  install:
  - "ascanrulesBeta"
  - "pscanrulesBeta"
  - "ascanrulesAlpha"
  - "pscanrulesAlpha"
  uninstall: []
  name: "addOns"
  type: "addOns"
- parameters:
    maxAlertsPerRule: 0

    scanOnlyInScope: false

    maxBodySizeInBytesToScan: 0
    enableTags: false
  rules:
  - id: 90003
    name: "Sub Resource Integrity Attribute Missing"
    threshold: "off"
  name: "passiveScan-config"
  type: "passiveScan-config"
- parameters:
    context: ""
    user: ""

    url: "https://redacted.com/redacted"

    maxDuration: 0
    maxDepth: 0
    maxChildren: 0

    acceptCookies: false
    handleODataParametersVisited: false
    handleParameters: "IGNORE_COMPLETELY"
    maxParseSizeBytes: 0
    parseComments: false
    parseGit: false
    parseRobotsTxt: true
    parseSitemapXml: true
    parseSVNEntries: false
    postForm: false
    processForm: false
    requestWaitTime: 0
    sendRefererHeader: false
    userAgent: ""

  tests:
  - onFail: "INFO"
    statistic: "automation.spider.urls.added"
    site: ""
    operator: ">="
    value: 100
    name: "At least 100 URLs found"
    type: "stats"
  name: "spider"
  type: "spider"
- parameters:
    context: ""
    user: ""

    url: "https://redacted.com/redacted"

    maxDuration: 0
    maxCrawlDepth: 0
    numberOfBrowsers: 0
  tests:
  - onFail: "INFO"
    statistic: "spiderAjax.urls.added"
    site: ""
    operator: ">="
    value: 100
    name: "At least 100 URLs found"
    type: "stats"
  name: "spiderAjax"
  type: "spiderAjax"
- parameters:
    maxDuration: 0
  name: "passiveScan-wait"
  type: "passiveScan-wait"
- parameters:

    context: ""
    user: ""
    policy: ""
    maxRuleDurationInMins: 0
    maxScanDurationInMins: 0
    addQueryParam: false
    delayInMs: 0
    handleAntiCSRFTokens: false
    injectPluginIdInHeader: true
    scanHeadersAllRequests: false
    threadPerHost: 2
  policyDefinition:
    defaultStrength: "medium"
    defaultThreshold: "medium"

    rules: []
  name: "activeScan"
  type: "activeScan"
- parameters:

    template: "traditional-html"
    reportDir: "/zap/wrk"

    reportFile: "full-scan-report.html"
    reportTitle: "ZAP Scanning Report"
    reportDescription: ""
    displayReport: false
  risks:

  - "info"

  - "low"
  - "medium"
  - "high"
  confidences:
  - "low"
  - "medium"
  - "high"
  - "confirmed"
  sections:

  - "instancecount"
  - "alertdetails"
  - "alertcount"
  name: "report"
  type: "report"

[Thomas Spear]

[Thomas Spear]

Any update?

[Thomas Spear]

Hi, I'm still hoping to get an answer to my last question in this thread, regarding making the reports from the automation framework match the reports from the packaged scan.

Please advise?