-
-
Notifications
You must be signed in to change notification settings - Fork 709
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
scanpolicies: Add initial 3 standardized policies
- CHANGELOG > Added note. - Policies > The new policy files. - Help content > New help content covering the new policies. Signed-off-by: kingthorin <[email protected]>
- Loading branch information
1 parent
a19bbf5
commit b68fa02
Showing
10 changed files
with
369 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
addOns/scanpolicies/src/main/javahelp/help/contents/policy-dev-cicd.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
| <HTML> | ||
| <HEAD> | ||
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
| <TITLE> | ||
| Developer CI/CD Policy | ||
| </TITLE> | ||
| </HEAD> | ||
| <BODY> | ||
| <H1>Developer CI/CD Policy</H1> | ||
|
|
||
| This policy is designed to be used by developers in a CI/CD pipeline. | ||
|
|
||
| <ul> | ||
| <li>Recommended for running in CI/CD</li> | ||
| <li>No environmental / server related rules</li> | ||
| <li>No long running rules</li> | ||
| <li>No rules with high false positives</li> | ||
| <li>No timing attacks</li> | ||
| <li>No informational only rules</li> | ||
| <li>Minimal overlap</li> | ||
| </ul | ||
|
|
||
| </BODY> | ||
| </HTML> |
24 changes: 24 additions & 0 deletions
24
addOns/scanpolicies/src/main/javahelp/help/contents/policy-dev-full.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
| <HTML> | ||
| <HEAD> | ||
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
| <TITLE> | ||
| Developer Full Policy | ||
| </TITLE> | ||
| </HEAD> | ||
| <BODY> | ||
| <H1>Developer Full Policy</H1> | ||
|
|
||
| A developer focused policy, including a superset of the dev standard with a greater variety of | ||
| potential findings and only minimal environmental/server related rules, intended for use in a dev environment. | ||
|
|
||
| <ul> | ||
| <li>A superset of Developer Standard</li> | ||
| <li>Intended to run in a dev environment</li> | ||
| <li>No rules with high false positives</li> | ||
| <li>No timing attacks</li> | ||
| <li>Minimal environmental / server related rules</li> | ||
| </ul | ||
|
|
||
| </BODY> | ||
| </HTML> |
26 changes: 26 additions & 0 deletions
26
addOns/scanpolicies/src/main/javahelp/help/contents/policy-dev-std.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
| <HTML> | ||
| <HEAD> | ||
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
| <TITLE> | ||
| Developer Standard Policy | ||
| </TITLE> | ||
| </HEAD> | ||
| <BODY> | ||
| <H1>Developer Standard Policy</H1> | ||
|
|
||
| A develoepr focused policy eant to perform fairly quickly while providing a greater set of results than the CICD policy, | ||
| intended for use in a dev environment. | ||
|
|
||
| <ul> | ||
| <li>A superset of Developer CICD</li> | ||
| <li>Intended to run in a dev environment</li> | ||
| <li>No environmental / server related rules</li> | ||
| <li>No rules with high false positives</li> | ||
| <li>No timing attacks</li> | ||
| <li>No informational only rules</li> | ||
| <li>Can include longer running rules</li> | ||
| </ul | ||
|
|
||
| </BODY> | ||
| </HTML> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
55 changes: 55 additions & 0 deletions
55
addOns/scanpolicies/src/main/zapHomeFiles/policies/Dev CICD.policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| <?xml version="1.0" encoding="UTF-8" standalone="no"?> | ||
| <configuration> | ||
| <policy>Developer CI/CD</policy> | ||
| <scanner> | ||
| <level>OFF</level> | ||
| <strength>MEDIUM</strength> | ||
| </scanner> | ||
| <plugins> | ||
| <p20019> | ||
| <name>External Redirect</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p20019> | ||
| <p40012> | ||
| <name>Cross Site Scripting (Reflected)</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40012> | ||
| <p40018> | ||
| <name>SQL Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40018> | ||
| <p90020> | ||
| <name>Remote OS Command Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90020> | ||
| <p90021> | ||
| <name>XPath Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90021> | ||
| <p90023> | ||
| <name>XML External Entity Attack</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90023> | ||
| <p90035> | ||
| <name>Server Side Template Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90035> | ||
| <p90017> | ||
| <name>XSLT Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90017> | ||
| <p50000> | ||
| <name>Script Active Scan Rules</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p50000> | ||
| </plugins> | ||
| </configuration> |
155 changes: 155 additions & 0 deletions
155
addOns/scanpolicies/src/main/zapHomeFiles/policies/Dev Full.policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,155 @@ | ||
| <?xml version="1.0" encoding="UTF-8" standalone="no"?> | ||
| <configuration> | ||
| <policy>Developer Full</policy> | ||
| <scanner> | ||
| <level>OFF</level> | ||
| <strength>MEDIUM</strength> | ||
| </scanner> | ||
| <plugins> | ||
| <p6> | ||
| <name>Path Traversal</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p6> | ||
| <p7> | ||
| <name>Remote File Inclusion</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p7> | ||
| <p20019> | ||
| <name>External Redirect</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p20019> | ||
| <p40009> | ||
| <name>Server Side Include</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40009> | ||
| <p40012> | ||
| <name>Cross Site Scripting (Reflected)</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40012> | ||
| <p40014> | ||
| <name>Cross Site Scripting (Persistent)</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40014> | ||
| <p40018> | ||
| <name>SQL Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40018> | ||
| <p40019> | ||
| <name>SQL Injection - MySQL</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40019> | ||
| <p40020> | ||
| <name>SQL Injection - Hypersonic SQL</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40020> | ||
| <p40021> | ||
| <name>SQL Injection - Oracle</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40021> | ||
| <p40022> | ||
| <name>SQL Injection - PostgreSQL</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40022> | ||
| <p40026> | ||
| <name>Cross Site Scripting (DOM Based)</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40026> | ||
| <p40027> | ||
| <name>SQL Injection - MsSQL</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40027> | ||
| <p90019> | ||
| <name>Server Side Code Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90019> | ||
| <p90020> | ||
| <name>Remote OS Command Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90020> | ||
| <p90021> | ||
| <name>XPath Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90021> | ||
| <p90023> | ||
| <name>XML External Entity Attack</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90023> | ||
| <p90035> | ||
| <name>Server Side Template Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90035> | ||
| <p90036> | ||
| <name>Server Side Template Injection (Blind)</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90036> | ||
| <p40003> | ||
| <name>CRLF Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40003> | ||
| <p40008> | ||
| <name>Parameter Tampering</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40008> | ||
| <p90017> | ||
| <name>XSLT Injection</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90017> | ||
| <p40016> | ||
| <name>Cross Site Scripting (Persistent) - Prime</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40016> | ||
| <p40017> | ||
| <name>Cross Site Scripting (Persistent) - Spider</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40017> | ||
| <p50000> | ||
| <name>Script Active Scan Rules</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p50000> | ||
| <p40031> | ||
| <name>Out of Band XSS</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40031> | ||
| <p40046> | ||
| <name>Server Side Request Forgery</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40046> | ||
| <p40047> | ||
| <name>Text4shell (CVE-2022-42889)</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p40047> | ||
| <p90028> | ||
| <name>Insecure HTTP Method</name> | ||
| <enabled>true</enabled> | ||
| <level>MEDIUM</level> | ||
| </p90028> | ||
| </plugins> | ||
| </configuration> |
Oops, something went wrong.