Report White-List - ZAP Daemon Headless
92 views
Skip to first unread message
matteo.d...@gmail.com
May 10, 2021, 7:26:35 AM5/10/21
to OWASP ZAP User Group
Hi there :)
I am making great progress with ZAP and by now I have managed to obtain a practically complete integration in the pipeline.
There remains only one point that despite my research I have not been able to solve: how can I get the white-listing with ZAP Daemon in headless mode (directly in the pipeline)?
I tried to configure (using the API documentation) an alert filter on the results that I don't want to see in my reports, in my case "access control allow origin", and it looks like this:
- curl -X -4 --retry 2 --retry-connrefused --retry-delay http://zap:8090/HTML/alertFilter/action/addGlobalAlertFilter/?ruleId=1&newLevel=0&url=https%3A%2F%2Fmyurl%2Fapi%2Fv1%2Fme%2Fidentity&urlIsRegex=¶meter=&enabled=¶meterIsRegex=&attack=&attackIsRegex=&evidence=Access-Control-Allow-Origin%3A+*&evidenceIsRegex=
Unfortunately it doesn't work and in the documentation (zap api reference) I can't find examples/use-cases.
Did already someone do something like this? Any clue?
Thank you!
Simon Bennetts
May 10, 2021, 7:57:30 AM5/10/21
to OWASP ZAP User Group
Hiya :)
Its always much easier to diagnose these sort of issues using the ZAP desktop.
My suggestion:
- Reproduce the "access control allow origin" vulnerability in the desktop
- Right click the alert and "Create Alert Filter", editing it as required
- Double check the alert filter actually works - in the desktop
- Run that curl command against the ZAP desktop and compare the 2 filters - do they look exactly the same? I suspect it wont, so tweak it until it does
I suspect you have made a mistake somewhere, eg in the encoding or in the alert filter fields. But theres no way for me to know as I dont have access to your app :)
Cheers,
Simon
matteo.d...@gmail.com
May 11, 2021, 3:57:54 AM5/11/21
to OWASP ZAP User Group
Hi Simon :)
Thank you for your quick answer.
This is exactly how i tried to work on this. Problem is: there isn't a match beetwen daemon parameters and Desktop (see image).
Also, if i set the parameters like the Desktop, i got errors (Example: newLevel is an INT and not a string, i guess it should be a value from 0 info to 3 High) and the error looks like this: {"code":"illegal_parameter","message":"Provided parameter has illegal or unrecognized value"}
On the other hand, other parameters like: "enabled" are only in the daemon and not in the GUI. So i'm basically tring blindly to set the parameters without knowing what should be the exact one to pass.
We already discussed the leak of documentation regarding alertFilter API, is there any update in this direction? :)
Thank you again Simon!
Matteo
Simon Bennetts
May 11, 2021, 4:23:28 AM5/11/21
to OWASP ZAP User Group
Hi Matteo,
I just tried the URL you gave in your first message and it added an alert filter for me :/
I did have to change 'zap' to 'localhost' - 'zap' will only work if you are proxying through ZAP.
The ruleId needs to be as per the Ids on https://www.zaproxy.org/docs/alerts/
So I think you should be using something like: localhost:8090/JSON/alertFilter/action/addGlobalAlertFilter/?ruleId=10098&newLevel=-1&url=https%3A%2F%2Fmyurl%2Fapi%2Fv1%2Fme%2Fidentity
newLevel=-1 is False Positive
You dont need to specify the other optional parameters but they can be used to make the rule more specific if you need to do that.
If you get errors from the API you can also look in the zap.log file to get more detailed info, or enable "Report error details via API" in the Options / API
Cheers,
Simon
matteo.d...@gmail.com
May 11, 2021, 4:27:45 AM5/11/21
to OWASP ZAP User Group
Hi Simon
this is interesting. I will check it again :)
The thing is, i've automated ZAP in gitlab, and i've imported the daemon as a service. I can start it, but just calling the alias that i've defined in my gitlab-ci (in my case, zap:9090). :)
I'll try again and come back to, but for now thank you very very much!
Best regards
Matteo
matteo.d...@gmail.com
May 25, 2021, 3:29:24 PM5/25/21
to OWASP ZAP User Group
Hi there
I tried my query with the changes that you suggested and the result is the same: nothing.
I'm questioning myself if i should apply the rule for the base url instead of the specific one.
curl -X -4 --retry 2 --retry-connrefused --retry-delay http://zap:8090/JSON/alertFilter/action/addGlobalAlertFilter/?ruleId=10098&newLevel=-1&url=https%3A%2F%2Fmyapi.execute-api.aws.com%2Fapi%2Fv1%2Fexample%2Fpanic&urlIsRegex=¶meter=&enabled=¶meterIsRegex=&attack=&attackIsRegex=&evidence=Access-Control-Allow-Origin%3A+*&evidenceIsRegex=
So i should limit myself to ultil the top-level domain basically?
Thank you again!
See attachment for the ZAP report
Reply all
Reply to author
Forward
0 new messages