Skip to content

Commit

Permalink
scanpolicies & sequence: Add/update next 3 standardized policies
Browse files Browse the repository at this point in the history 
- CHANGELOG > Added note.
- Policies > The new policy files.
- Help content > New help content covering the new policies.

Signed-off-by: kingthorin <[email protected]>
  • Loading branch information
@kingthorin
kingthorin committed Nov 25, 2024
1 parent 3ea00b7 commit 3daab02
Show file tree
Hide file tree
Showing 12 changed files with 760 additions and 51 deletions.
3 changes: 3 additions & 0 deletions addOns/scanpolicies/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Developer CI/CD
- Developer Standard
- Developer Full
- QA Standard
- QA Full
- API
17 changes: 17 additions & 0 deletions addOns/scanpolicies/src/main/javahelp/help/contents/policy-api.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<TITLE>
API Policy
</TITLE>
</HEAD>
<BODY>
<H1>API Policy</H1>

A policy focusing on issues likely to impact APIs and not UI.
<p>
Return to <a href="scanpolicies.html">main scan policies page</a>.

</BODY>
</HTML>
23 changes: 23 additions & 0 deletions addOns/scanpolicies/src/main/javahelp/help/contents/policy-qa-full.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<TITLE>
QA Full Policy
</TITLE>
</HEAD>
<BODY>
<H1>QA Full Policy</H1>

A quality assurance focused policy, including a superset of the <a href="policy-qa-std.html">QA standard</a> with a greater variety of
potential findings with more environmental/server related rules, intended for use in a QA/Staging environment.

<ul>
<li>Intended to run in a QA / Staging environment which is close to production</li>
<li>A superset of Developer Full (and QA Standard) but with more env / server rules enabled</li>
</ul>
<p>
Return to <a href="scanpolicies.html">main scan policies page</a>.

</BODY>
</HTML>
24 changes: 24 additions & 0 deletions addOns/scanpolicies/src/main/javahelp/help/contents/policy-qa-std.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<TITLE>
QA Standard Policy
</TITLE>
</HEAD>
<BODY>
<H1>QA Standard Policy</H1>

A quality assurance focused policy meant to perform fairly quickly while providing a greater set of results than developer policies,
intended for use in a QA/staging environment.

<ul>
<li>Intended to run in a QA / Staging environment which is close to production</li>
<li>A superset of Developer Standard but with important env / server rules enabled</li>
<li>Not env issues that should have been fixed by everyone</li>
</ul>
<p>
Return to <a href="scanpolicies.html">main scan policies page</a>.

</BODY>
</HTML>
3 changes: 3 additions & 0 deletions addOns/scanpolicies/src/main/javahelp/help/contents/scanpolicies.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ <H1>Scan Policies</H1>
<li><a href="policy-dev-cicd.html">Developer CICD Policy</a> : a policy intended for CI/CD use, focused on quick but higher risk issues
<li><a href="policy-dev-std.html">Developer Standard Policy</a> : a policy directed at developers, meant to perform fairly quickly while providing a greater set of results than the CICD policy (intended for use in a dev environment)
<li><a href="policy-dev-full.html">Developer Full Policy</a> : a developer focused policy, including a superset of the dev standard with a greater variety of potential findings and only minimal environmental/server related rules (intended for use in a dev environment)
<li><a href="policy-qa-std.html">QA Standard Policy</a> : a quality assurance focused policy meant to perform fairly quickly while providing a greater set of results than developer policies, intended for use in a QA/staging environment
<li><a href="policy-qa-full.html">QA Full Policy</a> : a more comprehensive quality assurance focused policy, including a superset of the QA standard with a greater variety of potential findings with more environmental/server related rules, intended for use in a QA/Staging environment
<li><a hrf="policy-api.html">API Policy</a> : a lighter policy focusing on issues likely to impact APIs and not UI.
</ul>

</BODY>
Expand Down
130 changes: 130 additions & 0 deletions addOns/scanpolicies/src/main/zapHomeFiles/policies/API.policy
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<policy>API</policy>
<scanner>
<level>OFF</level>
<strength>MEDIUM</strength>
</scanner>
<plugins>
<p0>
<name>Directory Browsing</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p0>
<p7>
<name>Remote File Inclusion</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p7>
<p20019>
<name>External Redirect</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p20019>
<p30001>
<name>Buffer Overflow</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p30001>
<p30002>
<name>Format String Error</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p30002>
<p30003>
<name>Integer Overflow Error</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p30003>
<p40003>
<name>CRLF Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p40003>
<p40008>
<name>Parameter Tampering</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p40008>
<p40009>
<name>Server Side Include</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p40009>
<p40018>
<name>SQL Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p40018>
<p40042>
<name>Spring Actuator Information Leak</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p40042>
<p40044>
<name>Exponential Entity Expansion (Billion Laughs Attack)</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p40044>
<p50000>
<name>Script Active Scan Rules</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p50000>
<p90017>
<name>XSLT Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90017>
<p90019>
<name>Server Side Code Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90019>
<p90020>
<name>Remote OS Command Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90020>
<p90021>
<name>XPath Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90021>
<p90023>
<name>XML External Entity Attack</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90023>
<p90025>
<name>Expression Language Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90025>
<p90026>
<name>SOAP Action Spoofing</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90026>
<p90029>
<name>SOAP XML Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90029>
<p90034>
<name>Cloud Metadata Potentially Exposed</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90034>
<p90035>
<name>Server Side Template Injection</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90035>
<p90036>
<name>Server Side Template Injection (Blind)</name>
<enabled>true</enabled>
<level>MEDIUM</level>
</p90036>
</plugins>
</configuration>
Loading

0 comments on commit 3daab02

Please sign in to comment.