False-positive handling in daemon mode with context file

Ruskó Szilveszter

unread,

May 8, 2023, 8:08:49 AM5/8/23

to OWASP ZAP User Group

Hi,

Please give me some guidance, so I would like to create a process for false-positve handling in daemon mode.
I have create a context file and added some alertFilters and I have also create api I calls to import it.

Somehow ZAP cannot handle these false-positives at all, these does not appear in my report as false positive.

Could u help me pls?

calls:
1. remove default context
curl "http://localhost:8090/JSON/context/action/removeContext/?apikey=&contextName=Default+Context"

2 .work
curl "http://${ZAP_HOST}:${ZAP_PORT}/JSON/context/action/importContext/?apikey=&contextFile=/tmp/test.context"

3. set context in scope
curl "http://${ZAP_HOST}:${ZAP_PORT}/JSON/context/action/setContextInScope/?apikey=&contextName=Test+Context&booleanInScope=TRUE"

context file:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<context>
<name>Test Context</name>
<desc/>
<inscope>true</inscope>
<tech>
<include>Db</include>
<include>Db.CouchDB</include>
<include>Db.Firebird</include>
<include>Db.HypersonicSQL</include>
<include>Db.IBM DB2</include>
<include>Db.Microsoft Access</include>
<include>Db.Microsoft SQL Server</include>
<include>Db.MongoDB</include>
<include>Db.MySQL</include>
<include>Db.Oracle</include>
<include>Db.PostgreSQL</include>
<include>Db.SAP MaxDB</include>
<include>Db.SQLite</include>
<include>Db.Sybase</include>
<include>Language</include>
<include>Language.ASP</include>
<include>Language.C</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.Java.Spring</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>Language.Python</include>
<include>Language.Ruby</include>
<include>Language.XML</include>
<include>OS</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>OS.Windows</include>
<include>SCM</include>
<include>SCM.Git</include>
<include>SCM.SVN</include>
<include>WS</include>
<include>WS.Apache</include>
<include>WS.IIS</include>
<include>WS.Tomcat</include>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>0</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
</authentication>
<forceduser>-1</forceduser>
<session>
<type>0</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
<alertFilters>
<alertFilters>
<filter>true;10021;-1;aHR0cHM6Ly9nb29nbGUuY29tCg==;false;;false;;false;;false;</filter>
<filter>true;10054;-1;aHR0cHM6Ly9nb29nbGUuY29tCg==;true;;false;;false;;false;</filter>
</alertFilters>
</alertFilters>
</context>
</configuration>

thc...@gmail.com

unread,

May 8, 2023, 8:15:39 AM5/8/23

to zaprox...@googlegroups.com

Hi.

You are not including anything in your context thus the Alert Filters
will not apply to anything.
(Maybe you want Global Alert Filters which are not bound to a context?)

Also, the XML structure is not correct, you have <alertFilters> inside
<alertFilters>.

Best regards.

On 08/05/2023 13:08, Ruskó Szilveszter wrote:
> Hi,
>
> Please give me some guidance, so I would like to create a process for
> false-positve handling in daemon mode.

> I have create a context file and added some *alertFilters *and I have also

> create api I calls to import it.
>
> Somehow ZAP cannot handle these false-positives at all, these does not
> appear in my report as false positive.
>
> Could u help me pls?
>

> *calls*:

> 1. remove default context
> curl
> "http://localhost:8090/JSON/context/action/removeContext/?apikey=&contextName=Default+Context"
>
> 2 .work
> curl
> "http://${ZAP_HOST}:${ZAP_PORT}/JSON/context/action/importContext/?apikey=&contextFile=/tmp/test.context"
>
> 3. set context in scope
> curl
> "http://${ZAP_HOST}:${ZAP_PORT}/JSON/context/action/setContextInScope/?apikey=&contextName=Test+Context&booleanInScope=TRUE"
>

> *context file*:

Ruskó Szilveszter

unread,

May 8, 2023, 8:19:23 AM5/8/23

to OWASP ZAP User Group

How do you mean nothing?
I would like to create a context file for every target, so I have an api call for add a target and start the scan too.

Could u give me and example for the global setup?

" Also, the XML structure is not correct, you have <alertFilters> inside
<alertFilters>."

I saw it is was just a typo.

Thanks

thc...@gmail.com

unread,

May 8, 2023, 8:25:19 AM5/8/23

to zaprox...@googlegroups.com

You don't have any URLs included in the Context.
https://www.zaproxy.org/docs/desktop/ui/dialogs/session/contexts/#include-in-context

The Global Alert Filters are defined through the Options (so config.xml
or -config if you want to go that way). Using the API you would call
`alertFilter/action/addGlobalAlertFilter/`

https://www.zaproxy.org/docs/desktop/addons/alert-filters/globalalertfilter/

Best regards.

Ruskó Szilveszter

unread,

May 8, 2023, 8:36:25 AM5/8/23

to OWASP ZAP User Group

Thank you I will check it.

Ruskó Szilveszter

unread,

May 8, 2023, 10:02:26 AM5/8/23

to OWASP ZAP User Group

So I have modify the config.xml but zaproxy cannot handle it at all, some variables are null.

Could you give an example pls?

Simon Bennetts

unread,

May 9, 2023, 4:29:29 AM5/9/23

to OWASP ZAP User Group

The config.xml file was never intended to be directly edited by users :)

It is the way the ZAP desktop stores the configs that the user has made via the GUI.

You can also change ZAP options via the API or via an Automation Frmework yaml file.

If you are having problems then the recommended way is to test in the GUI and then export the configs and retest them in daemon mode.