forked from HHS/TANF-app
-
Notifications
You must be signed in to change notification settings - Fork 4
/
zap.conf
131 lines (131 loc) · 7.55 KB
/
zap.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# zap-full-scan rule configuration file for tdrs-backend
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Ignored passive scan rules must also be specified in ./scripts/zap-hook.py
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0 FAIL (Directory Browsing - Active/release)
10003 FAIL (Vulnerable JS Library - Passive/release)
10010 FAIL (Cookie No HttpOnly Flag - Passive/release)
10011 FAIL (Cookie Without Secure Flag - Passive/release)
10015 WARN (Incomplete or No Cache-control Header Set - Passive/release)
10017 FAIL (Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019 FAIL (Content-Type Header Missing - Passive/release)
10020 FAIL (X-Frame-Options Header - Passive/release)
10021 FAIL (X-Content-Type-Options Header Missing - Passive/release)
10023 FAIL (Information Disclosure - Debug Error Messages - Passive/release)
10024 FAIL (Information Disclosure - Sensitive Information in URL - Passive/release)
10025 FAIL (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026 FAIL (HTTP Parameter Override - Passive/beta)
10027 FAIL (Information Disclosure - Suspicious Comments - Passive/release)
10028 FAIL (Open Redirect - Passive/beta)
10029 FAIL (Cookie Poisoning - Passive/beta)
10030 FAIL (User Controllable Charset - Passive/beta)
10031 FAIL (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032 FAIL (Viewstate - Passive/release)
10033 FAIL (Directory Browsing - Passive/beta)
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035 FAIL (Strict-Transport-Security Header - Passive/beta)
10036 IGNORE (HTTP Server Response Header - Passive/beta)
10037 FAIL (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038 FAIL (Content Security Policy (CSP) Header Not Set - Passive/beta)
10039 FAIL (X-Backend-Server Header Information Leak - Passive/beta)
10040 FAIL (Secure Pages Include Mixed Content - Passive/release)
10041 FAIL (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042 FAIL (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043 FAIL (User Controllable JavaScript Event (XSS) - Passive/beta)
10044 FAIL (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045 FAIL (Source Code Disclosure - /WEB-INF folder - Active/release)
10047 FAIL (HTTPS Content Available via HTTP - Active/beta)
10048 FAIL (Remote Code Execution - Shell Shock - Active/beta)
10050 FAIL (Retrieved from Cache - Passive/beta)
10051 FAIL (Relative Path Confusion - Active/beta)
10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10054 FAIL (Cookie without SameSite Attribute - Passive/release)
10055 IGNORE (CSP - Passive/release)
10056 FAIL (X-Debug-Token Information Leak - Passive/release)
10057 FAIL (Username Hash Found - Passive/release)
10058 FAIL (GET for POST - Active/beta)
10061 FAIL (X-AspNet-Version Response Header - Passive/release)
10062 FAIL (PII Disclosure - Passive/beta)
10095 FAIL (Backup File Disclosure - Active/beta)
10096 IGNORE (Timestamp Disclosure - Passive/release)
10097 FAIL (Hash Disclosure - Passive/beta)
10098 FAIL (Cross-Domain Misconfiguration - Passive/release)
10104 FAIL (User Agent Fuzzer - Active/beta)
10105 FAIL (Weak Authentication Method - Passive/release)
10106 WARN (HTTP Only Site - Active/beta)
10107 FAIL (Httpoxy - Proxy Header Misuse - Active/beta)
10108 FAIL (Reverse Tabnabbing - Passive/beta)
10109 WARN (Modern Web Application - Passive/beta)
10202 FAIL (Absence of Anti-CSRF Tokens - Passive/release)
2 WARN (Private IP Disclosure - Passive/release)
20012 FAIL (Anti-CSRF Tokens Check - Active/beta)
20014 FAIL (HTTP Parameter Pollution - Active/beta)
20015 FAIL (Heartbleed OpenSSL Vulnerability - Active/beta)
20016 FAIL (Cross-Domain Misconfiguration - Active/beta)
20017 FAIL (Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta)
20019 FAIL (External Redirect - Active/release)
3 FAIL (Session ID in URL Rewrite - Passive/release)
30001 FAIL (Buffer Overflow - Active/release)
30002 FAIL (Format String Error - Active/release)
30003 FAIL (Integer Overflow Error - Active/beta)
40003 FAIL (CRLF Injection - Active/release)
40008 FAIL (Parameter Tampering - Active/release)
40009 FAIL (Server Side Include - Active/release)
40012 FAIL (Cross Site Scripting (Reflected) - Active/release)
40013 FAIL (Session Fixation - Active/beta)
40014 FAIL (Cross Site Scripting (Persistent) - Active/release)
40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release)
40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release)
##### IGNORE (SQL Injection - Active/release) as it doesn't apply to us and is giving
##### false positives because it takes us to a default django page notifying us
##### of the 403 forbidden, instead of just a 403 being returned. The test is
##### treating this as though the SQL injection worked, since a page is returned.
40018 IGNORE (SQL Injection - Active/release)
40019 FAIL (SQL Injection - MySQL - Active/beta)
40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta)
40021 FAIL (SQL Injection - Oracle - Active/beta)
40022 FAIL (SQL Injection - PostgreSQL - Active/beta)
40023 FAIL (Possible Username Enumeration - Active/beta)
40024 FAIL (SQL Injection - SQLite - Active/beta)
40025 IGNORE (Proxy Disclosure - Active/beta)
40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta)
40027 FAIL (SQL Injection - MsSQL - Active/beta)
40028 FAIL (ELMAH Information Leak - Active/release)
40029 FAIL (Trace.axd Information Leak - Active/beta)
40032 FAIL (.htaccess Information Leak - Active/release)
40034 FAIL (.env Information Leak - Active/beta)
##### IGNORE (Hidden File Finder - Active/beta) due to false failing similar to SQL
##### Injection false positive above. Replicating parameters of the test
##### result in
40035 IGNORE (Hidden File Finder - Active/beta)
41 FAIL (Source Code Disclosure - Git - Active/beta)
42 FAIL (Source Code Disclosure - SVN - Active/beta)
43 FAIL (Source Code Disclosure - File Inclusion - Active/beta)
50000 FAIL (Script Active Scan Rules - Active/release)
50001 FAIL (Script Passive Scan Rules - Passive/release)
6 FAIL (Path Traversal - Active/release)
7 FAIL (Remote File Inclusion - Active/release)
90001 FAIL (Insecure JSF ViewState - Passive/release)
90011 FAIL (Charset Mismatch - Passive/release)
90017 FAIL (XSLT Injection - Active/beta)
90019 FAIL (Server Side Code Injection - Active/release)
90020 FAIL (Remote OS Command Injection - Active/release)
90021 FAIL (XPath Injection - Active/beta)
90022 WARN (Application Error Disclosure - Passive/release)
90023 FAIL (XML External Entity Attack - Active/beta)
90024 FAIL (Generic Padding Oracle - Active/beta)
90025 FAIL (Expression Language Injection - Active/beta)
90026 FAIL (SOAP Action Spoofing - Active/alpha)
90027 FAIL (Cookie Slack Detector - Active/beta)
90028 FAIL (Insecure HTTP Method - Active/beta)
90029 FAIL (SOAP XML Injection - Active/alpha)
90030 FAIL (WSDL File Detection - Passive/alpha)
90033 FAIL (Loosely Scoped Cookie - Passive/release)
90034 FAIL (Cloud Metadata Potentially Exposed - Active/beta)
100000 WARN (A Client Error response code was returned by the server)
100001 WARN (Unexpected Content-Type was returned)
100001 OUTOFSCOPE http://web:8080/v1/login
100001 OUTOFSCOPE https://tdp-backend-staging.acf.hhs.gov/v1/login