Zest fail action

[Ph]

Hi,

Currently Zest fail action contains message field only which display as alert title on ZAP.

It will be interesting to have some other generic fields like description , solution, reference etc on Zest fail action so those also be appear on ZAP alert.

As these can be generic info's, it should be common across various tool.

An alternative would be useful to define some conventions, like adding labels that ZAP or others then interprets, eg:

First line is taken to be the alert title.
Any other lines with no known prefix are put in the description.
Including this one.
Solution: this will then go in the ZAP alert solution field.
etc

Kr,

Ph

[Sunny]

Hi Ph,

Thanks for the suggestion. I spent some time thinking over this and came up with a proposal, which sure needs some more work to become better.

So, I thought of a new format for ZestActionFail, something like this:

{

  "description": <String>,

  "priority": <INFO/LOW/MEDIUM/HIGH>,

  "solution": {

    "message": <String>,

    "references": [

      {

        "statementIndex": <Number>,

        "docLink": <URI>

        "description": <String>

      },

      {

        "statementIndex": <Number>,

        "docLink": <URI>

        "description": <String>

      }

    ],

    "elementType": <ZestSolutionSteps/ZestSolutionDocs>

  }

  "index": <Number>,

  "enabled": <Boolean>,

  "elementType": "ZestActionFail"

}

There are new fields, `description`, `solution`, `message` & `references`.

`description` - description about the failure

`solution` - possible solution to the fix the failure

`message` - a short description about the solution

`references` - solution references

`statementIndex` - statement to be modified or being referred to

`docLink` - web link to some doc about the issue

`description` - description of the step to fix

`ZestSolutionSteps` - Solution which could fix the issue by following a few steps. Could be used to fix zest script issues.

`ZestSolutionDocs` - Suggested solution to fix the vulnerabilities found in the app being tested.

So we have a new `solution` object which contains have steps to fix the issue (ZestSolutionSteps) or suggest solutions with docs to fix the issue (ZestSolutionDocs).

Maybe we can have some more types for other possible needs. Suggestions are welcome :)

When a solution is of type ZestSolutionSteps, it should have a `statementIndex` and `description` would explain what to do in that statement.

For ZestSolutionDocs, it should have `docLink` and `description` describing about the link.

Solution references attributes are optional. A ZestSolutionSteps may have a `docLink` to some web link with more info about the issue or graphical description about fixing steps.

Here is an example of a ZestActionFail statement:

{

  "description": "No response even after waiting for 5 seconds",

  "priority": "HIGH",

  "solution": {

    "message": "Possible fixes:\n 1. increment timer\n 2. change something else",

    "reference": [

      {

        "statementIndex": 2,

        "description": "Increment the timer value"

      },

      {

        "statementIndex": 5,

        "docLink": "http://link/to/some/blog/post/or/forum"

        "description": "change something else to X"

      }

    ],

    "elementType": "ZestSolutionSteps"

  }

  "index": 3,

  "enabled": true,

  "elementType": "ZestActionFail"

}

So, this is the idea that I came up with. As it's understandable, this not only takes zest as a testing tool, but also a general purpose web automation scripting language which can suggest steps to fix the script and even fix the app it's testing.

I would like to know what others think about this idea.

Thanks!

[Ph]

Hi Sunny,

Sound perfect !

Kr,

Ph