-
-
Notifications
You must be signed in to change notification settings - Fork 708
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5931 from kingthorin/policies_cd_dev
scanpolicies: Add initial 3 standardized policies
- Loading branch information
Showing
11 changed files
with
408 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
addOns/scanpolicies/src/main/javahelp/help/contents/policy-dev-cicd.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
| <HTML> | ||
| <HEAD> | ||
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
| <TITLE> | ||
| Developer CI/CD Policy | ||
| </TITLE> | ||
| </HEAD> | ||
| <BODY> | ||
| <H1>Developer CI/CD Policy</H1> | ||
|
|
||
| This policy is designed to be used by developers in a CI/CD pipeline. | ||
|
|
||
| <ul> | ||
| <li>Recommended for running in CI/CD</li> | ||
| <li>No environmental / server related rules</li> | ||
| <li>No long running rules</li> | ||
| <li>No rules with high false positives</li> | ||
| <li>No timing attacks</li> | ||
| <li>No informational only rules</li> | ||
| <li>Minimal overlap</li> | ||
| </ul> | ||
| <p> | ||
| Return to <a href="scanpolicies.html">main scan policies page</a>. | ||
|
|
||
| </BODY> | ||
| </HTML> |
26 changes: 26 additions & 0 deletions
26
addOns/scanpolicies/src/main/javahelp/help/contents/policy-dev-full.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
| <HTML> | ||
| <HEAD> | ||
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
| <TITLE> | ||
| Developer Full Policy | ||
| </TITLE> | ||
| </HEAD> | ||
| <BODY> | ||
| <H1>Developer Full Policy</H1> | ||
|
|
||
| A developer focused policy, including a superset of the <a href="policy-dev-std.html">dev standard</a> with a greater variety of | ||
| potential findings and only minimal environmental/server related rules, intended for use in a dev environment. | ||
|
|
||
| <ul> | ||
| <li>A superset of Developer Standard</li> | ||
| <li>Intended to run in a dev environment</li> | ||
| <li>No rules with high false positives</li> | ||
| <li>No timing attacks</li> | ||
| <li>Minimal environmental / server related rules</li> | ||
| </ul> | ||
| <p> | ||
| Return to <a href="scanpolicies.html">main scan policies page</a>. | ||
|
|
||
| </BODY> | ||
| </HTML> |
28 changes: 28 additions & 0 deletions
28
addOns/scanpolicies/src/main/javahelp/help/contents/policy-dev-std.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
| <HTML> | ||
| <HEAD> | ||
| <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
| <TITLE> | ||
| Developer Standard Policy | ||
| </TITLE> | ||
| </HEAD> | ||
| <BODY> | ||
| <H1>Developer Standard Policy</H1> | ||
|
|
||
| A developer focused policy meant to perform fairly quickly while providing a greater set of results than the CICD policy, | ||
| intended for use in a dev environment. | ||
|
|
||
| <ul> | ||
| <li>A superset of Developer CICD</li> | ||
| <li>Intended to run in a dev environment</li> | ||
| <li>No environmental / server related rules</li> | ||
| <li>No rules with high false positives</li> | ||
| <li>No timing attacks</li> | ||
| <li>No informational only rules</li> | ||
| <li>Can include longer running rules</li> | ||
| </ul> | ||
| <p> | ||
| Return to <a href="scanpolicies.html">main scan policies page</a>. | ||
|
|
||
| </BODY> | ||
| </HTML> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 65 additions & 0 deletions
65
addOns/scanpolicies/src/main/zapHomeFiles/policies/Dev CICD.policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| <?xml version="1.0" encoding="UTF-8" standalone="no"?> | ||
| <configuration> | ||
| <policy>Developer CI/CD</policy> | ||
| <scanner> | ||
| <level>OFF</level> | ||
| <strength>MEDIUM</strength> | ||
| </scanner> | ||
| <plugins> | ||
| <p20019> | ||
| <name>External Redirect</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p20019> | ||
| <p40012> | ||
| <name>Cross Site Scripting (Reflected)</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40012> | ||
| <p40018> | ||
| <name>SQL Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40018> | ||
| <p50000> | ||
| <name>Script Active Scan Rules</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p50000> | ||
| <p90017> | ||
| <name>XSLT Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90017> | ||
| <p90020> | ||
| <name>Remote OS Command Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90020> | ||
| <p90021> | ||
| <name>XPath Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90021> | ||
| <p90023> | ||
| <name>XML External Entity Attack</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90023> | ||
| <p90026> | ||
| <name>SOAP Action Spoofing</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90026> | ||
| <p90029> | ||
| <name>SOAP XML Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90029> | ||
| <p90035> | ||
| <name>Server Side Template Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90035> | ||
| </plugins> | ||
| </configuration> |
165 changes: 165 additions & 0 deletions
165
addOns/scanpolicies/src/main/zapHomeFiles/policies/Dev Full.policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,165 @@ | ||
| <?xml version="1.0" encoding="UTF-8" standalone="no"?> | ||
| <configuration> | ||
| <policy>Developer Full</policy> | ||
| <scanner> | ||
| <level>OFF</level> | ||
| <strength>MEDIUM</strength> | ||
| </scanner> | ||
| <plugins> | ||
| <p6> | ||
| <name>Path Traversal</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p6> | ||
| <p7> | ||
| <name>Remote File Inclusion</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p7> | ||
| <p20019> | ||
| <name>External Redirect</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p20019> | ||
| <p40003> | ||
| <name>CRLF Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40003> | ||
| <p40008> | ||
| <name>Parameter Tampering</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40008> | ||
| <p40009> | ||
| <name>Server Side Include</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40009> | ||
| <p40012> | ||
| <name>Cross Site Scripting (Reflected)</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40012> | ||
| <p40014> | ||
| <name>Cross Site Scripting (Persistent)</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40014> | ||
| <p40016> | ||
| <name>Cross Site Scripting (Persistent) - Prime</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40016> | ||
| <p40017> | ||
| <name>Cross Site Scripting (Persistent) - Spider</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40017> | ||
| <p40018> | ||
| <name>SQL Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40018> | ||
| <p40019> | ||
| <name>SQL Injection - MySQL</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40019> | ||
| <p40020> | ||
| <name>SQL Injection - Hypersonic SQL</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40020> | ||
| <p40021> | ||
| <name>SQL Injection - Oracle</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40021> | ||
| <p40022> | ||
| <name>SQL Injection - PostgreSQL</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40022> | ||
| <p40026> | ||
| <name>Cross Site Scripting (DOM Based)</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40026> | ||
| <p40027> | ||
| <name>SQL Injection - MsSQL</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40027> | ||
| <p40031> | ||
| <name>Out of Band XSS</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40031> | ||
| <p40046> | ||
| <name>Server Side Request Forgery</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40046> | ||
| <p40047> | ||
| <name>Text4shell (CVE-2022-42889)</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p40047> | ||
| <p50000> | ||
| <name>Script Active Scan Rules</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p50000> | ||
| <p90017> | ||
| <name>XSLT Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90017> | ||
| <p90019> | ||
| <name>Server Side Code Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90019> | ||
| <p90020> | ||
| <name>Remote OS Command Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90020> | ||
| <p90021> | ||
| <name>XPath Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90021> | ||
| <p90023> | ||
| <name>XML External Entity Attack</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90023> | ||
| <p90026> | ||
| <name>SOAP Action Spoofing</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90026> | ||
| <p90028> | ||
| <name>Insecure HTTP Method</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90028> | ||
| <p90029> | ||
| <name>SOAP XML Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90029> | ||
| <p90035> | ||
| <name>Server Side Template Injection</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90035> | ||
| <p90036> | ||
| <name>Server Side Template Injection (Blind)</name> | ||
| <level>MEDIUM</level> | ||
| <enabled>true</enabled> | ||
| </p90036> | ||
| </plugins> | ||
| </configuration> |
Oops, something went wrong.