-
-
Notifications
You must be signed in to change notification settings - Fork 709
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
scanpolicies & sequence: Add/update next 3 standardized policies
- CHANGELOG > Added note. - Policies > The new policy files. - Help content > New help content covering the new policies. Signed-off-by: kingthorin <[email protected]>
- Loading branch information
1 parent
3ea00b7
commit 4106208
Showing
9 changed files
with
740 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
addOns/scanpolicies/src/main/javahelp/help/contents/policy-api.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
<HTML> | ||
<HEAD> | ||
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
<TITLE> | ||
API Policy | ||
</TITLE> | ||
</HEAD> | ||
<BODY> | ||
<H1>API Policy</H1> | ||
|
||
A lighter policy focusing on issues likely to impact APIs and not UI. | ||
<p> | ||
Return to <a href="scanpolicies.html">main scan policies page</a>. | ||
|
||
</BODY> | ||
</HTML> |
23 changes: 23 additions & 0 deletions
23
addOns/scanpolicies/src/main/javahelp/help/contents/policy-qa-full.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
<HTML> | ||
<HEAD> | ||
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
<TITLE> | ||
Developer Full Policy | ||
</TITLE> | ||
</HEAD> | ||
<BODY> | ||
<H1>Developer Full Policy</H1> | ||
|
||
A quality assurance focused policy, including a superset of the <a href="policy-qa-std.html">QA standard</a> with a greater variety of | ||
potential findings with more environmental/server related rules, intended for use in a QA/Staging environment. | ||
|
||
<ul> | ||
<li>Intended to run in a QA / Staging environment which is close to production</li> | ||
<li>A superset of Developer Full (and QA Standard) but with more env / server rules enabled</li> | ||
</ul> | ||
<p> | ||
Return to <a href="scanpolicies.html">main scan policies page</a>. | ||
|
||
</BODY> | ||
</HTML> |
24 changes: 24 additions & 0 deletions
24
addOns/scanpolicies/src/main/javahelp/help/contents/policy-qa-std.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | ||
<HTML> | ||
<HEAD> | ||
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> | ||
<TITLE> | ||
QA Standard Policy | ||
</TITLE> | ||
</HEAD> | ||
<BODY> | ||
<H1>QA Standard Policy</H1> | ||
|
||
A quality assurance focused policy meant to perform fairly quickly while providing a greater set of results than developer policies, | ||
intended for use in a QA/staging environment. | ||
|
||
<ul> | ||
<li>Intended to run in a QA / Staging environment which is close to production</li> | ||
<li>A superset of Developer Standard but with important env / server rules enabled</li> | ||
<li>Not env issues that should have been fixed by everyone</li> | ||
</ul> | ||
<p> | ||
Return to <a href="scanpolicies.html">main scan policies page</a>. | ||
|
||
</BODY> | ||
</HTML> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
130 changes: 130 additions & 0 deletions
130
addOns/scanpolicies/src/main/zapHomeFiles/policies/API.policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="no"?> | ||
<configuration> | ||
<policy>API</policy> | ||
<scanner> | ||
<level>OFF</level> | ||
<strength>MEDIUM</strength> | ||
</scanner> | ||
<plugins> | ||
<p0> | ||
<name>Directory Browsing</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p0> | ||
<p7> | ||
<name>Remote File Inclusion</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p7> | ||
<p20019> | ||
<name>External Redirect</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p20019> | ||
<p30001> | ||
<name>Buffer Overflow</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p30001> | ||
<p30002> | ||
<name>Format String Error</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p30002> | ||
<p30003> | ||
<name>Integer Overflow Error</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p30003> | ||
<p40003> | ||
<name>CRLF Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p40003> | ||
<p40008> | ||
<name>Parameter Tampering</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p40008> | ||
<p40009> | ||
<name>Server Side Include</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p40009> | ||
<p40018> | ||
<name>SQL Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p40018> | ||
<p40042> | ||
<name>Spring Actuator Information Leak</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p40042> | ||
<p40044> | ||
<name>Exponential Entity Expansion (Billion Laughs Attack)</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p40044> | ||
<p50000> | ||
<name>Script Active Scan Rules</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p50000> | ||
<p90017> | ||
<name>XSLT Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90017> | ||
<p90019> | ||
<name>Server Side Code Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90019> | ||
<p90020> | ||
<name>Remote OS Command Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90020> | ||
<p90021> | ||
<name>XPath Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90021> | ||
<p90023> | ||
<name>XML External Entity Attack</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90023> | ||
<p90025> | ||
<name>Expression Language Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90025> | ||
<p90026> | ||
<name>SOAP Action Spoofing</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90026> | ||
<p90029> | ||
<name>SOAP XML Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90029> | ||
<p90034> | ||
<name>Cloud Metadata Potentially Exposed</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90034> | ||
<p90035> | ||
<name>Server Side Template Injection</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90035> | ||
<p90036> | ||
<name>Server Side Template Injection (Blind)</name> | ||
<enabled>true</enabled> | ||
<level>MEDIUM</level> | ||
</p90036> | ||
</plugins> | ||
</configuration> |
Oops, something went wrong.