Comments (12)
commented on August 17, 2024
I've checked the ZAP gui and these are included by default. The only difference between these and the normal policies is that they're "beta" quality. But they do exist in the zap installation, so I think it'll be useful to include them.
from bdd-security.
lfatty
commented on August 17, 2024
Yes indeed they are very useful but the question becomes how do you enable or add a beta policy to zap embedded in jenkins. I know that you can do that in zap GUI but I am not certain in zap embedded in bed-security. Also the beta policies are not enable by default.
from bdd-security.
commented on August 17, 2024
The policy should already be there in the embedded version. Since we'll bundle zap with bdd-security we can ensure that the required policies are always there.
from bdd-security.
lfatty
commented on August 17, 2024
But I ran bdd-sec several times and I am getting no-existing id which is the id of that policy recently added.
from bdd-security.
commented on August 17, 2024
You sure you're using the embedded version of ZAP? config.xml should have the whole <proxy> section commented out or removed.
Another test you can do is run zap from the command line within bdd-security/zap and then connect to the API through a browser and view the policies:
http://zap/XML/ascan/view/scanners/?zapapiformat=HTML&scanPolicyName=&policyId=
from bdd-security.
lfatty
commented on August 17, 2024
Ok, I will test again.
from bdd-security.
lfatty
commented on August 17, 2024
By the way I am using zapPath>zap/zap.sh</zapPath in config.xml. Do I have to use the api?
from bdd-security.
commented on August 17, 2024
The zapPath isn't used unless the proxy is commented out. You can use the GUI if you like, but I thought you were using this on a headless jenkins so no gui possible :)
Much simpler through the GUI!
from bdd-security.
lfatty
commented on August 17, 2024
@continuumsecurity, In my case the proxy was commented originally when I updated the code. :-)
Is this correct http://zap?
from bdd-security.
lfatty
commented on August 17, 2024
This is what I am getting from the api. I really believe that those new policies do not exit on the api.
Exception code="does_not_exist" detail="policyId" type="exception">Does Not Exist (does_not_exist) : policyId</Exception
from bdd-security.
commented on August 17, 2024
Yes you are right! I tracked this down to ZAP loading the plugins from the zap home directory on my dev machine.
I've now added the beta active scan rules to the bdd-security/zap/plugins directory so that they will load by default on any installation.
from bdd-security.
lfatty
commented on August 17, 2024
Thanks I am glad that you saw what I was talking about. Also is there a way to disable the passive scanning under navigate-app_story because it flags some stuffs such as (X-frame options) which can be considered not a high finding.
from bdd-security.
Related Issues (20)
- BDD Security requirements HOT 5
- Understanding bdd-security Reports Help HOT 1
- Web Driver Timeout with default configurations
- java.net.BindException: Address already in use: bind HOT 1
- multiple URL Scans
- Unable to load chrome driver failing with Timed out message HOT 5
- BDD unable to limit or exclude sites/link from scanning HOT 2
- java.lang.RuntimeException: No HTTP requests-responses recorded - in iriusrisk-cwe-693-clickjack
- could not reopen database HOT 1
- Crash Ropeytask with Java 9 HOT 1
- support for ZAP 2.7.0
- Browser is not getting launch
- Unable to perform app_Scan on http://testphp.vulnweb.com/
- Compatibility with Nessus 7 HOT 7
- OWASP ZAP Scanning out of scope hosts HOT 1
- Support for ZAP 2.7
- Wrong sslyze path in config.xml HOT 1
- Chromedriver and FirefoxDriver issues HOT 5
- All options in the config.xml file should also be settable using environment variables.
- InternetexplorerDrvier problem HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bdd-security.