This repository has been archived by the owner on Sep 15, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
/
reference.conf
407 lines (386 loc) · 12.1 KB
/
reference.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
# Copyright 2021 HM Revenue & Customs
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Below properties are used to configure Zap Api.
# To override any of the the default values, specify the required config in the test suite's .conf file.
zap-automation-config {
# Conducts a ZAP active scan if set to true.
activeScan = false
# Fails test only if the reported alert's severity is above or same as the provided failureThreshold.
# Example:
# failureThreshold = "Medium" will not fail the test if the report has only Low and Informational alerts.
# Test will fail if there are any Medium or High Alerts
# Accepted Values: High, Medium, Low
failureThreshold = "Low"
# Required field. This does not need overridding when running zap-automation tests in CI.
# To keep your local test setup consistent with CI, you can configure the port that the OWASP ZAP API is exposed
# on by including the '-port 11000' option when starting ZAP from the command line.
zapBaseUrl = "http://localhost:11000"
# Required field. This field has multiple uses. It is the seed url passed to the spider scan, and, it is used as a
# check to ensure that clients/browsers have been configured correctly to proxy requests via ZAP. It's best to set
# the testUrl value to the URL of the initial landing page of the service under test (not just localhost:port).
testUrl = ""
# Not a required field. This url is added as the base url to your context.
# A context is a construct in Zap that limits the scope of any attacks run to a
# particular domain (this doesn't mean that Zap won't find alerts on other services during the
# browser test run).
# This would usually be the base url of your service - eg http://localhost:xxxx.*
contextBaseUrlRegex = ".*"
# Not a required field. This value, if set to true, will ignore all alerts from optimizely.
ignoreOptimizelyAlerts = false
# Not a required field. These are the urls that the zap-automation library
# will use to filter out the alerts that are shown to you. Note that while Zap is doing
# testing, it is likely to find alerts from other services that you don't own - for example
# from logging in, therefore we recommend that you set this to be urls for the
# service you are interested in.
alertUrlsToReport = []
# Not a required field. You should set this to be true if you are testing an API.
# By default this assumes you are testing a UI and therefore is defaulted to be false.
testingAnApi = false
# Not a required field. You may set this if you have any routes that are part of your
# application, but you do not want tested. For example, if you had any test-only routes, you
# could force Zap not to test them by adding them in here as a regex.
routeToBeIgnoredFromContext = ""
# Not a required field. We recommend you don't change this field, as we've made basic choices
# for the platform. We made it overridable just in case your service differs from the
# standards of the Platform.
#
# The technologies that you put here will limit the amount of checks that ZAP will do to
# just the technologies that are relevant. The default technologies are set to
# "OS,OS.Linux,Language,Language.Xml,SCM,SCM.Git".
desiredTechnologyNames = "OS,OS.Linux,Language,Language.Xml,SCM,SCM.Git"
# If, when you run the Zap tests, you find alerts that you have investigated and don't see as a problem
# you can filter them out by adding to this list, using the cweid and the url regex that the alert was found on.
# The CWE ID is a Common Weakness Enumeration (http://cwe.mitre.org/data/index.html), you can
# find this by looking at the alert output from your tests.
# example: alertsToIgnore = [{cweid: "16", url: "http://localhost:9999/hello/\\w{3}/here"},
# {cweid: "17", url: "http://localhost:9999/hello/\\w{3}/here"}]
alertsToIgnore = []
# Default list of scanners for which alerts will be shown in the report
scanners : {
passive : [
{
id : 2
name : Private IP Disclosure
}
{
id : 3
name: Session ID in URL Rewrite
}
{
id : 10010
name: Cookie No HttpOnly Flag
}
{
id : 10011
name: Cookie Without Secure Flag
}
{
id : 10015
name : Incomplete or No Cache-control and Pragma HTTP Header Set
}
{
id : 10016
name : Web Browser XSS Protection Not Enabled
}
{
id : 10017
name: Cross-Domain JavaScript Source File Inclusion
}
{
id : 10019
name : Content-Type Header Missing
}
{
id : 10020
name : X-Frame-Options Header Scanner
}
{
id : 10021
name : X-Content-Type-Options Header Missing
}
{
id : 10023
name : Information Disclosure - Debug Error Messages
}
{
id : 10024
name : Information Disclosure - Sensitive Informations in URL
}
{
id : 10025
name : Information Disclosure - Sensitive Information in HTTP Referrer Header
}
{
id : 10026
name : HTTP Parameter Override
}
{
id : 10027
name : Information Disclosure - Suspicious Comments
}
{
id : 10032
name : Viewstate Scanner
}
{
id : 10037
name : "Server Leaks Information via \"X-Powered-By\" HTTP Response Header Field(s)"
}
# This Scanner needs to be reviewed by PlatSec before enabling it.
# {
# id : 10054
# name : Cookie Without SameSite Attribute
# }
# This scanner needs to be fine tuned before enabling its alerts
# {
# id : 10055
# name : Content Security Policy Scanner
# }
{
id : 10056
name : X-Debug-Token Information Leak
}
{
id : 10057
name : Username Hash Found
}
{
id : 10061
name : X-AspNet-Version Response Header Scanner
}
# Reveiewed with PlatSec and agreed to disable the alerts from this scanner.
# Severity is only informational and introduces a lot of noise.
# {
# id : 10096
# name : Timestamp Disclosure
# }
{
id : 10098
name : Cross-Domain Misconfiguration
}
{
id : 10105
name : Weak Authentication Method
}
{
id : 10202
name : Absence of Anti-CSRF Tokens
}
{
id : 10040
name : Secure Pages Include Mixed Content
}
{
id : 50001
name : Script Passive Scan Rules
}
{
id : 50003
name : Stats Passive Scan Rule
}
{
id : 90001
name : Insecure JSF ViewState
}
{
id : 90011
name : Charset Mismatch
}
{
id : 90022
name : Application Error Disclosure
}
{
id : 322420463
name : Retire.js
}
],
active = [
{
id : 0
name : Directory Browsing
}
{
id : 6
name : Path Traversal
}
{
id : 7
name : Remote File Inclusion
}
{
id : 42
name : Source Code Disclosure - SVN
}
{
id : 10045
name : Source Code Disclosure - /WEB-INF folder
}
{
id : 10048
name : Remote Code Execution - Shell Shock
}
{ id : 10095
name: Backup File Disclosure
}
{
id : 20012
name: Anti CSRF Tokens Scanner
}
{
id : 20014
name : HTTP Parameter Pollution scanner
}
{
id : 20015
name : Heartbleed OpenSSL Vulnerability
}
{
id : 20016
name : Cross-Domain Misconfiguration
}
{
id : 20017
name : Source Code Disclosure - CVE-2012-1823
}
{
id : 20018
name : Remote Code Execution - CVE-2012-1823
}
{
id : 20019
name : External Redirect
}
{
id : 30001
name : Buffer Overflow
}
{
id : 30002
name : Format String Error
}
{
id : 30003
name : Integer Overflow Error
}
{
id : 40003
name: CRLF Injection
}
{
id : 40008
name : Parameter Tampering
}
{
id : 40009
name : Server Side Include
}
{
id : 40012
name : Cross Site Scripting (Reflected)
}
{
id : 40013
name : Session Fixation
}
{
id : 40014
name : Cross Site Scripting (Persistent)
}
{ id : 40016
name : Cross Site Scripting (Persistent) - Prime
}
{
id : 40017
name : Cross Site Scripting (Persistent) - Spider
}
{
id : 40018
name : SQL Injection
}
{
id : 40019
name : SQL Injection - MySQL
}
{
id : 40020
name : SQL Injection - Hypersonic SQL
}
{
id : 40021
name : SQL Injection - Oracle
}
{
id : 40022
name : SQL Injection - PostgreSQL
}
{
id : 40023
name : Possible Username Enumeration
}
{
id : 50000
name : Script Active Scan Rules
}
{
id : 90019
name : Server Side Code Injection
}
{
id : 90020
name : Remote OS Command Injection
}
{
id : 90021
name : XPath Injection
}
{
id : 90023
name : XML External Entity Attack
}
{
id : 90024
name : Generic Padding Oracle
}
{
id : 90025
name : Expression Language Injection
}
{
id : 90028
name : Insecure HTTP Method
}
]
}
customRiskConf = [
{
pluginId: "322420463", risk: "High" #Retire.js
}
]
debug {
# Checks if the testUrl configured above returns a 2xx or 3xx response and fails if it returns anything else
healthCheck=true
# When set to true the library deletes the run context and policy, and clears down all of the alerts generated during
# execution of the scans
tearDown = true
# Set to true if you would like zap-automation to print it's config to the console
printConfig=true
# Timeout value for patience config in seconds. Test times out if spider or active scan does not finish within configured time.
patienceConfigTimeout=600
# Interval value for patience config in seconds. Spider and Active Scan status is checked at this interval until the scan is completed.
patienceConfigInterval=2
# Zap connection timeout in seconds. Zap will timeout if a response is not received within the configured duration.
connectionTimeout=20
}
}