No Existing Zap Policies

[lfatty]

@continuumsecurity, I think the following need to be removed as well

case "source-code-disclosure": scannerIds = "42,10045,20017"; break; case "shell-shock": scannerIds = "10048"; break; case "remote-code-execution": scannerIds = "20018"; break; case "ldap-injection": scannerIds = "40015"; break; case "xpath-injection": scannerIds = "90021"; break; case "xml-external-entity": scannerIds = "90023"; break; case "padding-oracle": scannerIds = "90024"; break; case "el-injection": scannerIds = "90025"; break; case "insecure-http-methods": scannerIds = "90028"; break; case "parameter-pollution": scannerIds = "20014";

[iriusrisk]

I've checked the ZAP gui and these are included by default. The only difference between these and the normal policies is that they're "beta" quality. But they do exist in the zap installation, so I think it'll be useful to include them.

[lfatty]

Yes indeed they are very useful but the question becomes how do you enable or add a beta policy to zap embedded in jenkins. I know that you can do that in zap GUI but I am not certain in zap embedded in bed-security. Also the beta policies are not enable by default.

[iriusrisk]

The policy should already be there in the embedded version. Since we'll bundle zap with bdd-security we can ensure that the required policies are always there.

[lfatty]

But I ran bdd-sec several times and I am getting no-existing id which is the id of that policy recently added.

[iriusrisk]

You sure you're using the embedded version of ZAP? config.xml should have the whole <proxy> section commented out or removed. Another test you can do is run zap from the command line within bdd-security/zap and then connect to the API through a browser and view the policies: http://zap/XML/ascan/view/scanners/?zapapiformat=HTML&scanPolicyName=&policyId=

[lfatty]

Ok, I will test again.

[lfatty]

By the way I am using zapPath>zap/zap.sh</zapPath in config.xml. Do I have to use the api?

[iriusrisk]

The zapPath isn't used unless the proxy is commented out. You can use the GUI if you like, but I thought you were using this on a headless jenkins so no gui possible :) Much simpler through the GUI!

[lfatty]

@continuumsecurity, In my case the proxy was commented originally when I updated the code. :-) Is this correct http://zap?

[lfatty]

This is what I am getting from the api. I really believe that those new policies do not exit on the api.

Exception code="does_not_exist" detail="policyId" type="exception">Does Not Exist (does_not_exist) : policyId</Exception

[iriusrisk]

Yes you are right! I tracked this down to ZAP loading the plugins from the zap home directory on my dev machine.

I've now added the beta active scan rules to the bdd-security/zap/plugins directory so that they will load by default on any installation.

[lfatty]

Thanks I am glad that you saw what I was talking about. Also is there a way to disable the passive scanning under navigate-app_story because it flags some stuffs such as (X-frame options) which can be considered not a high finding.