From 18055752c19ca77f4e3062da07f4651d23424bf6 Mon Sep 17 00:00:00 2001 From: Simon Bennetts Date: Tue, 16 Jan 2024 12:12:38 +0000 Subject: [PATCH] AF plan examples - updated baseline and added full scan Signed-off-by: Simon Bennetts --- CHANGELOG.md | 1 + other/CHANGELOG.md | 9 ++++ other/af-plans/BaselineExample.yaml | 30 +++++-------- other/af-plans/FullScanExample.yaml | 67 +++++++++++++++++++++++++++++ 4 files changed, 87 insertions(+), 20 deletions(-) create mode 100644 other/CHANGELOG.md create mode 100644 other/af-plans/FullScanExample.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a212ba7..220ee4bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] + ### Changed - Update minimum ZAP version to 2.14.0. - Remove checks for CFU initiator in HTTP Sender scripts and docs, no longer needed. diff --git a/other/CHANGELOG.md b/other/CHANGELOG.md new file mode 100644 index 00000000..5e8a41b1 --- /dev/null +++ b/other/CHANGELOG.md @@ -0,0 +1,9 @@ +# Changelog +All notable changes to the 'other' section of this add-on will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +### 2024-01-16 +- Introduced this changelog +- Added af-plans/FullScanExample.yaml +- Updated af-plans/BaselineExample.yaml to use envvar and only run AJAX Spider if modern. diff --git a/other/af-plans/BaselineExample.yaml b/other/af-plans/BaselineExample.yaml index e037f120..9714236b 100644 --- a/other/af-plans/BaselineExample.yaml +++ b/other/af-plans/BaselineExample.yaml @@ -1,26 +1,15 @@ --- -# A simple plan that performs a baseline scan against example.com -# It uses both of the spiders and just passive scanning. +# A simple plan that performs a baseline scan against a URL in the ZAP_TARGET env var. +# It uses the standard spider but only runs the AJAX spider if the app appears to be modern. # The 2 spider tests will fail as they do not find at least 100 URLs, # but they do not fail the whole plan as they just report at INFO level. env: contexts: - name: "Example" urls: - - "https://www.example.com/" + - "${ZAP_TARGET}" includePaths: [] excludePaths: [] - authentication: - parameters: {} - verification: - method: "response" - pollFrequency: 60 - pollUnits: "requests" - sessionManagement: - method: "cookie" - parameters: {} - technology: - exclude: [] parameters: failOnError: true failOnWarning: false @@ -44,10 +33,12 @@ jobs: value: 100 type: "stats" name: "At least 100 URLs found" +- parameters: {} + name: "passiveScan-wait-pre-ajax" + type: "passiveScan-wait" - parameters: - maxDuration: 60 - maxCrawlDepth: 10 - numberOfBrowsers: 1 + maxDuration: 3 + runOnlyIfModern: true name: "spiderAjax" type: "spiderAjax" tests: @@ -59,12 +50,11 @@ jobs: type: "stats" name: "At least 100 URLs found" - parameters: {} - name: "passiveScan-wait" + name: "passiveScan-wait-pre-report" type: "passiveScan-wait" - parameters: - template: "risk-confidence-html" + template: "modern" reportTitle: "ZAP Scanning Report" reportDescription: "" name: "report" type: "report" - diff --git a/other/af-plans/FullScanExample.yaml b/other/af-plans/FullScanExample.yaml new file mode 100644 index 00000000..7a185613 --- /dev/null +++ b/other/af-plans/FullScanExample.yaml @@ -0,0 +1,67 @@ +--- +# A simple plan that performs a full scan against a URL in the ZAP_TARGET env var. +# It uses the standard spider but only runs the AJAX spider if the app appears to be modern. +# The 2 spider tests will fail as they do not find at least 100 URLs, +# but they do not fail the whole plan as they just report at INFO level. +env: + contexts: + - name: "Example" + urls: + - "${ZAP_TARGET}" + includePaths: [] + excludePaths: [] + parameters: + failOnError: true + failOnWarning: false + progressToStdout: true + vars: {} +jobs: +- parameters: + scanOnlyInScope: true + enableTags: false + rules: [] + name: "passiveScan-config" + type: "passiveScan-config" +- parameters: {} + name: "spider" + type: "spider" + tests: + - onFail: "INFO" + statistic: "automation.spider.urls.added" + site: "" + operator: ">=" + value: 100 + type: "stats" + name: "At least 100 URLs found" +- parameters: {} + name: "passiveScan-wait-pre-ajax" + type: "passiveScan-wait" +- parameters: + maxDuration: 3 + runOnlyIfModern: true + name: "spiderAjax" + type: "spiderAjax" + tests: + - onFail: "INFO" + statistic: "spiderAjax.urls.added" + site: "" + operator: ">=" + value: 100 + type: "stats" + name: "At least 100 URLs found" +- parameters: + policyDefinition: + defaultStrength: "medium" + defaultThreshold: "medium" + rules: [] + name: "activeScan" + type: "activeScan" +- parameters: {} + name: "passiveScan-wait-pre-report" + type: "passiveScan-wait" +- parameters: + template: "modern" + reportTitle: "ZAP Scanning Report" + reportDescription: "" + name: "report" + type: "report"