CODEWITHSUNDEEP
zap
Annio
Annio

Reputation: 67

Owasp ZAP - test result still show informational ouput

I'm running OWASP ZAP in my pipeline to perform some security scan.

I'm using the official docker image and running it as per below:

      docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable:latest zap-full-scan.py \
        -t http://$(ip -f inet -o addr show docker0 | awk '{print $4}' | cut -d '/' -f 1): }} \
        -c zap.conf \
        -J report.json \
        -r report.html

My zap.conf looks like the following

# zap-baseline rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
10003   WARN    (Vulnerable JS Library (Powered by Retire.js))
10009   FAIL    (In Page Banner Information Leak)
10010   FAIL    (Cookie No HttpOnly Flag)
10011   FAIL    (Cookie Without Secure Flag)
10015   FAIL    (Re-examine Cache-control Directives)
10017   WARN    (Cross-Domain JavaScript Source File Inclusion)
10019   WARN    (Content-Type Header Missing)
10020   FAIL    (Anti-clickjacking Header)
10021   WARN    (X-Content-Type-Options Header Missing)
10023   WARN    (Information Disclosure - Debug Error Messages)
10024   FAIL    (Information Disclosure - Sensitive Information in URL)
10025   FAIL    (Information Disclosure - Sensitive Information in HTTP Referrer Header)
10026   WARN    (HTTP Parameter Override)
10027   WARN    (Information Disclosure - Suspicious Comments)
10028   FAIL    (Open Redirect)
10029   WARN    (Cookie Poisoning)
10030   WARN    (User Controllable Charset)
10031   FAIL    (User Controllable HTML Element Attribute (Potential XSS))
10032   WARN    (Viewstate)
10033   WARN    (Directory Browsing)
10034   WARN    (Heartbleed OpenSSL Vulnerability (Indicative))
10035   FAIL    (Strict-Transport-Security Header)
10036   WARN    (HTTP Server Response Header)
10037   WARN    (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
10038   WARN    (Content Security Policy (CSP) Header Not Set)
10039   WARN    (X-Backend-Server Header Information Leak)
10040   FAIL    (Secure Pages Include Mixed Content)
10041   FAIL    (HTTP to HTTPS Insecure Transition in Form Post)
10042   FAIL    (HTTPS to HTTP Insecure Transition in Form Post)
10043   FAIL    (User Controllable JavaScript Event (XSS))
10044   FAIL    (Big Redirect Detected (Potential Sensitive Information Leak))
10049   IGNORE  (Content Cacheability)
10050   WARN    (Retrieved from Cache)
10052   WARN    (X-ChromeLogger-Data (XCOLD) Header Information Leak)
10054   WARN    (Cookie without SameSite Attribute)
10055   WARN    (CSP)
10056   WARN    (X-Debug-Token Information Leak)
10057   WARN    (Username Hash Found)
10061   WARN    (X-AspNet-Version Response Header)
10062   FAIL    (PII Disclosure)
10063   WARN    (Permissions Policy Header Not Set)
10096   WARN    (Timestamp Disclosure)
10097   WARN    (Hash Disclosure)
10098   WARN    (Cross-Domain Misconfiguration)
10099   WARN    (Source Code Disclosure)
10105   WARN    (Weak Authentication Method)
10108   FAIL    (Reverse Tabnabbing)
10109   WARN    (Modern Web Application)
10110   WARN    (Dangerous JS Functions)
10111   WARN    (Authentication Request Identified)
10112   WARN    (Session Management Response Identified)
10113   WARN    (Verification Request Identified)
10202   WARN    (Absence of Anti-CSRF Tokens)
2   WARN    (Private IP Disclosure)
3   WARN    (Session ID in URL Rewrite)
50001   WARN    (Script Passive Scan Rules)
90001   WARN    (Insecure JSF ViewState)
90002   WARN    (Java Serialization Object)
90003   WARN    (Sub Resource Integrity Attribute Missing)
90004   WARN    (Insufficient Site Isolation Against Spectre Vulnerability)
90011   WARN    (Charset Mismatch)
90022   WARN    (Application Error Disclosure)
90030   WARN    (WSDL File Detection)
90033   WARN    (Loosely Scoped Cookie)
10038   OUTOFSCOPE  .*\/(es|en|zh)\/kit_requests
10038   OUTOFSCOPE  .*/sitemap.xml

Even if the rule 10049 is marked as IGNORE, I still get this informational alert from the scan result:

https://www.zaproxy.org/docs/alerts/10049-3/

What am I doing wrong?

Thanks

Upvotes: 0

Views: 530

Answers (1)

Simon Bennetts
Simon Bennetts

Reputation: 6216

The rule(s) you have ignored should not be flagged as failures on the commandline or cause a non zero result code. However alerts related to those rules will still appear in the reports.

This is a known restriction which we plan to resolve at some point as part of the migration to the Automation Framework: https://github.com/zaproxy/zaproxy/issues/6461

Upvotes: 2

Related Questions