Skip to content

Commit

Permalink
AF plan examples - updated baseline and added full scan
Browse files Browse the repository at this point in the history
Signed-off-by: Simon Bennetts <[email protected]>
  • Loading branch information
psiinon committed Jan 16, 2024
1 parent ffec41f commit d1d9a70
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 20 deletions.
9 changes: 9 additions & 0 deletions other/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Changelog
All notable changes to the 'other' section of this repository will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

### 2024-01-16
- Introduced this changelog
- Added af-plans/FullScanExample.yaml
- Updated af-plans/BaselineExample.yaml to use envvar and only run AJAX Spider if modern.
30 changes: 10 additions & 20 deletions other/af-plans/BaselineExample.yaml
Original file line number Diff line number Diff line change
@@ -1,26 +1,15 @@
---
# A simple plan that performs a baseline scan against example.com
# It uses both of the spiders and just passive scanning.
# A simple plan that performs a baseline scan against a URL in the ZAP_TARGET env var.
# It uses the standard spider but only runs the AJAX spider if the app appears to be modern.
# The 2 spider tests will fail as they do not find at least 100 URLs,
# but they do not fail the whole plan as they just report at INFO level.
env:
contexts:
- name: "Example"
urls:
- "https://www.example.com/"
- "${ZAP_TARGET}"
includePaths: []
excludePaths: []
authentication:
parameters: {}
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
sessionManagement:
method: "cookie"
parameters: {}
technology:
exclude: []
parameters:
failOnError: true
failOnWarning: false
Expand All @@ -44,10 +33,12 @@ jobs:
value: 100
type: "stats"
name: "At least 100 URLs found"
- parameters: {}
name: "passiveScan-wait-pre-ajax"
type: "passiveScan-wait"
- parameters:
maxDuration: 60
maxCrawlDepth: 10
numberOfBrowsers: 1
maxDuration: 3
runOnlyIfModern: true
name: "spiderAjax"
type: "spiderAjax"
tests:
Expand All @@ -59,12 +50,11 @@ jobs:
type: "stats"
name: "At least 100 URLs found"
- parameters: {}
name: "passiveScan-wait"
name: "passiveScan-wait-pre-report"
type: "passiveScan-wait"
- parameters:
template: "risk-confidence-html"
template: "modern"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
name: "report"
type: "report"

67 changes: 67 additions & 0 deletions other/af-plans/FullScanExample.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
# A simple plan that performs a full scan against a URL in the ZAP_TARGET env var.
# It uses the standard spider but only runs the AJAX spider if the app appears to be modern.
# The 2 spider tests will fail as they do not find at least 100 URLs,
# but they do not fail the whole plan as they just report at INFO level.
env:
contexts:
- name: "Example"
urls:
- "${ZAP_TARGET}"
includePaths: []
excludePaths: []
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
- parameters:
scanOnlyInScope: true
enableTags: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters: {}
name: "spider"
type: "spider"
tests:
- onFail: "INFO"
statistic: "automation.spider.urls.added"
site: ""
operator: ">="
value: 100
type: "stats"
name: "At least 100 URLs found"
- parameters: {}
name: "passiveScan-wait-pre-ajax"
type: "passiveScan-wait"
- parameters:
maxDuration: 3
runOnlyIfModern: true
name: "spiderAjax"
type: "spiderAjax"
tests:
- onFail: "INFO"
statistic: "spiderAjax.urls.added"
site: ""
operator: ">="
value: 100
type: "stats"
name: "At least 100 URLs found"
- parameters:
policyDefinition:
defaultStrength: "medium"
defaultThreshold: "medium"
rules: []
name: "activeScan"
type: "activeScan"
- parameters: {}
name: "passiveScan-wait-pre-report"
type: "passiveScan-wait"
- parameters:
template: "modern"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
name: "report"
type: "report"

0 comments on commit d1d9a70

Please sign in to comment.