define scan policy rules via zap proxy api
475 views
Skip to first unread message
Emad Youssef
Feb 10, 2022, 9:51:18 AM2/10/22
to OWASP ZAP User Group
Hi,
i'm automating running zap api via bash script which my methodology will
importing gathered url via
```
curl -s "http://localhost:8888/JSON/importurls/action/importurls/?apikey=12345&filePath=file"
```
starting active scan via
```
curl -s "http://localhost:8888/JSON/ascan/action/scan/?apikey=12345&url=http://domain&recurse=true&inScopeOnly=&scanPolicyName=&method=&postData=&contextId="
```
as i see argument `scanPolicyName` is in url but i did not find in documentation how to set this for example if i need only
scan for High and critical Bugs and ignoring others (Medium, low, info) ?
the other thing is i do checked dir `/.ZAP/policies/Default Policy.policy` and it contains following
```
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<policy>Default Policy</policy>
<scanner>
<level>MEDIUM</level>
<strength>MEDIUM</strength>
</scanner>
<plugins>
<p6>
<enabled>true</enabled>
</p6>
<p7>
<enabled>true</enabled>
</p7>
<p10045>
<enabled>true</enabled>
</p10045>
<p20019>
<enabled>true</enabled>
</p20019>
<p40009>
<enabled>true</enabled>
</p40009>
<p40012>
<enabled>true</enabled>
</p40012>
<p40014>
<enabled>true</enabled>
</p40014>
<p40018>
<enabled>true</enabled>
</p40018>
<p90019>
<enabled>true</enabled>
</p90019>
<p90020>
<enabled>true</enabled>
</p90020>
<p0>
<enabled>true</enabled>
</p0>
<p30001>
<enabled>true</enabled>
</p30001>
<p30002>
<enabled>true</enabled>
</p30002>
<p40003>
<enabled>true</enabled>
</p40003>
<p40008>
<enabled>true</enabled>
</p40008>
<p40028>
<enabled>true</enabled>
</p40028>
<p40032>
<enabled>true</enabled>
</p40032>
<p40016>
<enabled>true</enabled>
</p40016>
<p40017>
<enabled>true</enabled>
</p40017>
<p50000>
<enabled>true</enabled>
</p50000>
<p40026>
<enabled>true</enabled>
</p40026>
<p90026>
<enabled>true</enabled>
</p90026>
<p90029>
<enabled>true</enabled>
</p90029>
</plugins>
</configuration>
```
as i see there are `true` for enabled (BUT what exactly is for ) for example variable `p50000` what for ?
and that xml file has variable plugins for i guess enabling execute active scan using plugin in dir `/opt/ZAP_2.11.1/plugin/`, right?
but i have 40 plugins in that dir why there are only 23 enabled in xml (how can i get code `p90029` for any plugin to load it in active scan)?
sorry for long inquiry
i'm automating running zap api via bash script which my methodology will
importing gathered url via
```
curl -s "http://localhost:8888/JSON/importurls/action/importurls/?apikey=12345&filePath=file"
```
starting active scan via
```
curl -s "http://localhost:8888/JSON/ascan/action/scan/?apikey=12345&url=http://domain&recurse=true&inScopeOnly=&scanPolicyName=&method=&postData=&contextId="
```
as i see argument `scanPolicyName` is in url but i did not find in documentation how to set this for example if i need only
scan for High and critical Bugs and ignoring others (Medium, low, info) ?
the other thing is i do checked dir `/.ZAP/policies/Default Policy.policy` and it contains following
```
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<policy>Default Policy</policy>
<scanner>
<level>MEDIUM</level>
<strength>MEDIUM</strength>
</scanner>
<plugins>
<p6>
<enabled>true</enabled>
</p6>
<p7>
<enabled>true</enabled>
</p7>
<p10045>
<enabled>true</enabled>
</p10045>
<p20019>
<enabled>true</enabled>
</p20019>
<p40009>
<enabled>true</enabled>
</p40009>
<p40012>
<enabled>true</enabled>
</p40012>
<p40014>
<enabled>true</enabled>
</p40014>
<p40018>
<enabled>true</enabled>
</p40018>
<p90019>
<enabled>true</enabled>
</p90019>
<p90020>
<enabled>true</enabled>
</p90020>
<p0>
<enabled>true</enabled>
</p0>
<p30001>
<enabled>true</enabled>
</p30001>
<p30002>
<enabled>true</enabled>
</p30002>
<p40003>
<enabled>true</enabled>
</p40003>
<p40008>
<enabled>true</enabled>
</p40008>
<p40028>
<enabled>true</enabled>
</p40028>
<p40032>
<enabled>true</enabled>
</p40032>
<p40016>
<enabled>true</enabled>
</p40016>
<p40017>
<enabled>true</enabled>
</p40017>
<p50000>
<enabled>true</enabled>
</p50000>
<p40026>
<enabled>true</enabled>
</p40026>
<p90026>
<enabled>true</enabled>
</p90026>
<p90029>
<enabled>true</enabled>
</p90029>
</plugins>
</configuration>
```
as i see there are `true` for enabled (BUT what exactly is for ) for example variable `p50000` what for ?
and that xml file has variable plugins for i guess enabling execute active scan using plugin in dir `/opt/ZAP_2.11.1/plugin/`, right?
but i have 40 plugins in that dir why there are only 23 enabled in xml (how can i get code `p90029` for any plugin to load it in active scan)?
sorry for long inquiry
Simon Bennetts
Feb 10, 2022, 10:01:52 AM2/10/22
to OWASP ZAP User Group
This policy file format is not documented as we didnt really expect people to create them manually.
The supported option is to create them using the ZAP desktop.
We do realise that many people will want a more config file based approach and thats one of the reasons why we've introduced the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/
That uses just one yaml file and is hopefully much better documented.
This is the direction we recommend most people take for automation going forwards.
FYI the "p" numbers refer to the scan rule identifiers which are listed on https://www.zaproxy.org/docs/alerts/
Cheers,
Simon
Emad Youssef
Feb 10, 2022, 1:54:28 PM2/10/22
to OWASP ZAP User Group
First of all thx for your response .
i'm trying to try the scan in desktop ver before trying to deal with automate framwork ver as you advice in this video (https://www.youtube.com/watch?v=TTiW5NPJlwY)
but i have issue with the desktop ver which is when i try to define active scan to only check for xss as you described in that video it's stops scanning after 10 (404 status code)
but i have issue with the desktop ver which is when i try to define active scan to only check for xss as you described in that video it's stops scanning after 10 (404 status code)
and even if i tried to make full scan without specifying the role in active scan it still hanging there and the progress bar of active scan still 0% as shown in screenshot .
the other thing is when i try to generate report following error shows as in screenshot .
my os : Linux pop-os 5.15.15-76051515-generic
zap ver : 2.11.1
i tried to solve this by reinstalling zap (same issue)
i tried to change internet connection (same issue)
Thanks
Emad Youssef
Feb 10, 2022, 2:40:14 PM2/10/22
to OWASP ZAP User Group
problem solved by switching to java 11
Thanks
Simon Bennetts
Feb 11, 2022, 4:15:21 AM2/11/22
to OWASP ZAP User Group
Oh good - thanks for letting us know!
Reply all
Reply to author
Forward
0 new messages