-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzap.yml
248 lines (247 loc) · 23.7 KB
/
zap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication:
method: # String, one of 'manual', 'http', 'form', 'json' or 'script'
parameters: # May include any required for scripts. All of the parameters support vars except for the port
hostname: # String, only for 'http' authentication
port: # Int, only for 'http' authentication
realm: # String, only for 'http' authentication
loginPageUrl: # String, the login page URL to read prior to making the request, only for 'form' or 'json' authentication
loginRequestUrl: # String, the login URL to request, only for 'form' or 'json' authentication
loginRequestBody: # String, the login request body - if not supplied a GET request will be used, only for 'form' or 'json' authentication
script: # String, path to script, only for 'script' authentication
scriptEngine: # String, the name of the script engine to use, only for 'script' authentication
verification:
method: # String, one of 'response', 'request', 'both', 'poll'
loggedInRegex: # String, regex pattern for determining if logged in
loggedOutRegex: # String, regex pattern for determining if logged out
pollFrequency: # Int, the poll frequency, only for 'poll' verification
pollUnits: # String, the poll units, one of 'requests', 'seconds', only for 'poll' verification
pollUrl: # String, the URL to poll, only for 'poll' verification
pollPostData: # String, post dat to include in the poll, only for 'poll' verification
pollAdditionalHeaders: # List of additional headers for poll request, only for 'poll' verification
- header: # The header name
value: # The header value
sessionManagement:
method: # String, one of 'cookie', 'http', 'script'
parameters: # List of 0 or more parameters - may include any required for scripts
script: # String, path to script, only for 'script' session management
scriptEngine: # String, the name of the script engine to use, only for 'script' session management
users: # List of one or more users available to use for authentication
- name: # String, the name to be used by the jobs
credentials: # List of user credentials - may include any required for scripts, vars supported
username: # String, the username to use when authenticating
password: # String, the password to use when authenticating
vars: # List of 0 or more variables, can be used in urls and selected other parameters
parameters:
failOnError: true # If set exit on an error
failOnWarning: false # If set exit on a warning
progressToStdout: true # If set will write job progress to stdout
jobs:
- type: addOns # Add-on management
parameters:
updateAddOns: false # Currently disabled due to problems updating the framework and jobs while they are running
install: # A list of non standard add-ons to install from the ZAP Marketplace
uninstall: # A list of standard add-ons to uninstall
- type: alertFilter # Used to change the risk levels of alerts
parameters:
deleteGlobalAlerts: true # Boolean, if true then will delete all existing global alerts, default false
alertFilters: # A list of alertFilters to be applied
- ruleId: # Int: Mandatory alert rule id
newRisk: # String: Mandatory new risk level, one of 'False Positive', 'Info', 'Low', 'Medium', 'High'
context: # String: Optional context name, if empty then a global alert filter will be created
url: # String: Optional string to match against the alert, supports environment vars
urlRegex: # Boolean: Optional, if true then the url is a regex
parameter: # String: Optional string to match against the alert parameter field
parameterRegex: # Boolean: Optional, if true then the parameter is a regex, supports environment vars
attack: # String: Optional string to match against the alert attack field
attackRegex: # Boolean: Optional, if true then the attack is a regex
evidence: # String: Optional string to match against the alert evidence field
evidenceRegex: # Boolean: Optional, if true then the evidence is a regex
- type: passiveScan-config # Passive scan configuration
parameters:
maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule
scanOnlyInScope: true # Bool: Only scan URLs in scope (recommended)
maxBodySizeInBytesToScan: # Int: Maximum body size to scan, default: 0 - will scan all messages
enableTags: false # Bool: Enable passive scan tags, default: false - enabling them can impact performance
rules: # A list of one or more passive scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # String: The name of the rule for documentation purposes - this is not required or actually used
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
- type: script
parameters:
action: # String: The executed action - available actions: add, remove, run
type: # String: The type of the script
engine: # String: The script engine to use - can be used to override the default engine for the file extension
name: # String: The name of the script, defaults to the file name
file: # String: The full file path, must be readable
- type: requestor # Used to send specific requests to targets
parameters:
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
- type: graphql # GraphQL definition import
parameters:
endpoint: # String: the endpoint URL, default: null, no schema is imported
schemaUrl: # String: URL pointing to a GraphQL Schema, default: null, import using introspection on endpoint
schemaFile: # String: Local file path of a GraphQL Schema, default: null, import using schemaUrl
maxQueryDepth: # Int: The maximum query generation depth, default: 5
lenientMaxQueryDepthEnabled: # Bool: Whether or not Maximum Query Depth is enforced leniently, default: true
maxAdditionalQueryDepth: # Int: The maximum additional query generation depth (used if enforced leniently), default: 5
maxArgsDepth: # Int: The maximum arguments generation depth, default: 5
optionalArgsEnabled: # Bool: Whether or not Optional Arguments should be specified, default: true
argsType: # Enum [inline, variables, both]: How arguments are specified, default: both
querySplitType: # Enum [leaf, root_field, operation]: The level for which a single query is generated, default: leaf
requestMethod: # Enum [post_json, post_graphql, get]: The request method, default: post_json
- type: openapi # OpenAPI definition import
parameters:
apiFile: # String: Local file containing the OpenAPI definition, default: null, no definition will be imported
apiUrl: # String: URL containing the OpenAPI definition, default: null, no definition will be imported
targetUrl: # String: URL which overrides the target defined in the definition, default: null, the target will not be overriden
- type: soap # SOAP WSDL import
parameters:
wsdlFile: # String: Local file path of the WSDL, default: null, no definition will be imported
wsdlUrl: # String: URL pointing to the WSDL, default: null, no definition will be imported
- type: spider # The traditional spider - fast but doesnt handle modern apps so well
parameters:
context: # String: Name of the context to spider, default: first context
user: # String: An optional user to use for authentication, must be defined in the env
url: # String: Url to start spidering from, default: first context URL
maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDepth: # Int: The maximum tree depth to explore, default 5
maxChildren: # Int: The maximum number of children to add to each node in the tree
acceptCookies: # Bool: Whether the spider will accept cookies, default: true
handleODataParametersVisited: # Bool: Whether the spider will handle OData responses, default: false
handleParameters: # Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all
maxParseSizeBytes: # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
parseComments: # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true
parseGit: # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false
parseRobotsTxt: # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true
parseSitemapXml: # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true
parseSVNEntries: # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false
postForm: # Bool: Whether the spider will submit POST forms, default: true
processForm: # Bool: Whether the spider will process forms, default: true
requestWaitTime: # Int: The time between the requests sent to a server in milliseconds, default: 200
sendRefererHeader: # Bool: Whether the spider will send the referer header, default: true
threadCount: # Int: The number of spider threads, default: 2
userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one
tests:
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'automation.spider.urls.added' # String: Name of an integer / long statistic, currently supported: 'automation.spider.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
- type: spiderAjax # The ajax spider - slower than the spider but handles modern apps well
parameters:
context: # String: Name of the context to spider, default: first context
url: # String: Url to start spidering from, default: first context URL
maxDuration: # Int: The max time in minutes the ajax spider will be allowed to run for, default: 0 unlimited
maxCrawlDepth: # Int: The max depth that the crawler can reach, default: 10, 0 is unlimited
numberOfBrowsers: # Int: The number of browsers the spider will use, more will be faster but will use up more memory, default: 1
browserId: # String: Browser Id to use, default: firefox-headless
clickDefaultElems: # Bool: When enabled only click the default element: 'a', 'button' and input, default: true
clickElemsOnce: # Bool: When enabled only click each element once, default: true
eventWait: # Int: The time in millseconds to wait after a client side event is fired, default: 1000
maxCrawlStates: # Int: The maximum number of crawl states the crawler should crawl, default: 0 unlimited
randomInputs: # Bool: When enabled random values will be entered into input element, default: true
reloadWait: # Int: The time in millseconds to wait after the URL is loaded, default: 1000
tests:
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'spiderAjax.urls.added' # String: Name of an integer / long statistic, currently supported: 'spiderAjax.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String [warn, error, info]: Change this to 'warn' or 'error' for the test to take effect
- type: delay # Pause the plan for a set period of time or event (file created, programmatic method called, API endpoint called)
parameters:
time: # String: The time to wait, format any of ['hh:mm:ss', 'mm:ss', 'ss'], default: 0
fileName: # String: Name of a file which will cause the job to end early if created, default: empty
- type: passiveScan-wait # Passive scan wait for the passive scanner to finish
parameters:
maxDuration: 5 # Int: The max time to wait for the passive scanner, default: 0 unlimited
tests:
- name: 'test one' # Name of the test, optional
type: alert # Specifies that the test is of type 'alert'
action: passIfPresent/passIfAbsent # String: The condition (presence/absence) of the alert, default: passIfAbsent
scanRuleId: # Integer: The id of the scanRule which generates the alert, mandatory
alertName: # String: The name of the alert generated, optional
url: http://www.example.com/path # String: The url of the request corresponding to the alert generated, optional
method: # String: The method of the request corresponding to the alert generated, optional
attack: # String: The actual attack which generated the alert, optional
param: # String: The parameter which was modified to generate the alert, optional
evidence: # String: The evidence corresponding to the alert generated, optional
confidence: # String: The confidence of the alert, one of 'False Positive', 'Low', 'Medium', 'High', 'Confirmed', optional
risk: # String: The risk of the alert, one of 'Informational', 'Low', 'Medium', 'High', optional
otherInfo: # String: Addional information corresponding to the alert, optional
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
- type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
parameters:
context: # String: Name of the context to attack, default: first context
user: # String: An optional user to use for authentication, must be defined in the env
policy: # String: Name of the scan policy to be used, default: Default Policy
maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
tests:
- name: 'test one' # Name of the test, optional
type: alert # Specifies that the test is of type 'alert'
action: passIfPresent/passIfAbsent # String: The condition (presence/absence) of the alert, default: passIfAbsent
scanRuleId: # Integer: The id of the scanRule which generates the alert, mandatory
alertName: # String: The name of the alert generated, optional
url: http://www.example.com/path # String: The url of the request corresponding to the alert generated, optional
method: # String: The method of the request corresponding to the alert generated, optional
attack: # String: The actual attack which generated the alert, optional
param: # String: The parameter which was modified to generate the alert, optional
evidence: # String: The evidence corresponding to the alert generated, optional
confidence: # String: The confidence of the alert, one of 'False Positive', 'Low', 'Medium', 'High', 'Confirmed', optional
risk: # String: The risk of the alert, one of 'Informational', 'Low', 'Medium', 'High', optional
otherInfo: # String: Addional information corresponding to the alert, optional
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
- type: outputSummary # Print summary to stdout, primarily to mimic the behaviour of the packaged scans
parameters:
format: None # String: The format of the output, one of None, Short, Long, default: None
summaryFile: # String: The full path of a file into which will be written a JSON summary of the scan, default empty
- type: report # Report generation
parameters:
template: # String: The template id, default : modern
theme: # String: The template theme, default: the first theme defined for the template (if any)
reportDir: # String: The directory into which the report will be written
reportFile: # String: The report file name pattern, default: {{yyyy-MM-dd}}-ZAP-Report-[[site]]
reportTitle: # String: The report title
reportDescription: # String: The report description
displayReport: # Boolean: Display the report when generated, default: false
risks: # List: The risks to include in this report, default all
- high
- medium
- low
- info
confidences: # List: The confidences to include in this report, default all
- high
- medium
- low
- falsepositive
sections: # List: The template sections to include in this report - see the relevant template, default all