Persist the Policy threshold and strength level of an active scan
423 views
Skip to first unread message
Albert
Dec 16, 2015, 9:11:07 AM12/16/15
to OWASP ZAP User Group
Hi,
I am trying on increase the security scan coverage when using the active scanner.
In order to do so I need to persist the threshold and strength level for the active scanner as I am running ZAP as a daemon.
From the Tools >Active Scan window I can change the Threshold to Low and the Attach Strength to Insane to increase the number of potential issues flagged.
However I can't persist the settings. I can start the Scan from the dialog box but as I want this settings to be used when running ZAP in daemon mode I would like to persist them.
How can I achieve that?
Thanks
Simon Bennetts
Dec 16, 2015, 9:18:12 AM12/16/15
to OWASP ZAP User Group
Hi Albert,
The Active Scan Dialog is there for tweaking things as you test.
If you want to persist your changes then you'll need to use the Scan Policy Manager.
You can access that from the Analyse menu or the main toolbar.
ZAP allows you to have as many Scan Policies as you like.
You'll start with just one, the Default Policy.
Select it and click the Modify button.
You can then change anything you like and your changes will be persisted.
You can also create new policies and then select the one you want when you start a scan.
Cheers,
Simon
The Active Scan Dialog is there for tweaking things as you test.
If you want to persist your changes then you'll need to use the Scan Policy Manager.
You can access that from the Analyse menu or the main toolbar.
ZAP allows you to have as many Scan Policies as you like.
You'll start with just one, the Default Policy.
Select it and click the Modify button.
You can then change anything you like and your changes will be persisted.
You can also create new policies and then select the one you want when you start a scan.
Cheers,
Simon
Albert
Dec 16, 2015, 9:22:37 AM12/16/15
to OWASP ZAP User Group
Hi Simon,
Thanks a lot.
And just as a general curiosity, are there any scan policies available online that cover specific scopes (OWASP top 10 or SANS top 25 or CWE).
Or some shared repo where I could download extra rules or share them if I create them myself?
Regards
Simon Bennetts
Dec 16, 2015, 9:35:49 AM12/16/15
to OWASP ZAP User Group
Not really :/
The problem with the OWASP Top 10 is that its an education document rather than a set of vulnerabilities that can be easily scanned for.
As I've stated in "ZAPping the Top 10":
However people do keep asking about such things, so maybe we should create some policies like these, with suitable caveats.
If anyone here comes up with policies that they think it would be useful to share then I'd be delighted to create a new ZAP repo for them.
As it happens we have talked about setting up common policies in Mozilla.
And one option would be to allow users to specify a URL for a remote policy rather than just using local ones.
I like this idea and would be very happy for ZAP to support it (and may implement it myself in time), but obviously we'd have to be very careful not to introduce any vulnerabilities in ZAP when doing so.
Cheers,
Simon
The problem with the OWASP Top 10 is that its an education document rather than a set of vulnerabilities that can be easily scanned for.
As I've stated in "ZAPping the Top 10":
"Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!"
However people do keep asking about such things, so maybe we should create some policies like these, with suitable caveats.
If anyone here comes up with policies that they think it would be useful to share then I'd be delighted to create a new ZAP repo for them.
As it happens we have talked about setting up common policies in Mozilla.
And one option would be to allow users to specify a URL for a remote policy rather than just using local ones.
I like this idea and would be very happy for ZAP to support it (and may implement it myself in time), but obviously we'd have to be very careful not to introduce any vulnerabilities in ZAP when doing so.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages