From 7b7fd6967d76916f7e28ea68680359f3f15de671 Mon Sep 17 00:00:00 2001 From: Sam Lerner Date: Mon, 30 Dec 2019 16:22:34 -0500 Subject: [PATCH 1/2] Added default warning config and setup. --- Dockerfile | 11 ++++++++--- README.md | 8 +++++++- gen.conf | 43 +++++++++++++++++++++++++++++++++++++++++++ pages.txt | 1 + 4 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 gen.conf create mode 100644 pages.txt diff --git a/Dockerfile b/Dockerfile index 7e9b33c..e6176a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,11 @@ FROM owasp/zap2docker-stable:latest -# Copy in default tests -COPY tests /zap/wrk +# Copy in default test configuration +COPY gen.conf /zap/wrk -CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"] \ No newline at end of file +# Install default/autotest configuration and mount +VOLUME ["/src"] +WORKDIR /src +COPY pages.txt /src/ + +CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web", "-c", "gen.conf"] diff --git a/README.md b/README.md index 34538b7..05d2ce8 100644 --- a/README.md +++ b/README.md @@ -1 +1,7 @@ -# ci-zap \ No newline at end of file +# Docker Image for OWASP ZAP + +Learn more about OWASP ZAP: + * [OWASP ZAP core documentation](https://github.com/zaproxy/zaproxy) + * [Zap Baseline scan options](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan) + * [Zap Docker documentation](https://github.com/zaproxy/zaproxy/wiki/Docker) + diff --git a/gen.conf b/gen.conf new file mode 100644 index 0000000..70351b1 --- /dev/null +++ b/gen.conf @@ -0,0 +1,43 @@ +# zap-baseline rule configuration file +# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches +# Only the rule identifiers are used - the names are just for info +# You can add your own messages to each rule by appending them after a tab on each line. +10010 WARN (Cookie No HttpOnly Flag) +10011 WARN (Cookie Without Secure Flag) +10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set) +10016 WARN (Web Browser XSS Protection Not Enabled) +10017 IGNORE (Cross-Domain JavaScript Source File Inclusion) +10019 WARN (Content-Type Header Missing) +10020 WARN (X-Frame-Options Header Scanner) +10021 WARN (X-Content-Type-Options Header Missing) +10023 WARN (Information Disclosure - Debug Error Messages) +10024 WARN (Information Disclosure - Sensitive Informations in URL) +10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header) +10026 WARN (HTTP Parameter Override) +10027 WARN (Information Disclosure - Suspicious Comments) +10032 WARN (Viewstate Scanner) +10040 WARN (Secure Pages Include Mixed Content) +10055 IGNORE (CSP Scanner) +10038 IGNORE (Content Security Policy (CSP) Header Not Set) +10105 WARN (Weak Authentication Method) +10202 WARN (Absence of Anti-CSRF Tokens) +2 WARN (Private IP Disclosure) +3 WARN (Session ID in URL Rewrite) +50001 WARN (Script Passive Scan Rules) +90001 WARN (Insecure JSF ViewState) +90011 WARN (Charset Mismatch) +90022 WARN (Application Error Disclosure) +90030 WARN (WSDL File Passive Scanner) +90033 WARN (Loosely Scoped Cookie) + +# Ignore no-cache header warnings on TLS +10015 IGNORE (Incomplete or No Cache-control and Pragma HTTP Header Set) + +# Ignore cached pages that don't initiate a session and don't need CSRF tokens. +# Commenting them out as they are Drupal-specific, and we want a flag to enable them. +#10202 OUTOFSCOPE http://web/ +#10202 OUTOFSCOPE http://web +#10202 OUTOFSCOPE http://web/user/login +#10202 OUTOFSCOPE http://web/user/password +#90022 OUTOFSCOPE http://web/user/login +#10016 OUTOFSCOPE http://web/sitemap.xml diff --git a/pages.txt b/pages.txt new file mode 100644 index 0000000..b498fd4 --- /dev/null +++ b/pages.txt @@ -0,0 +1 @@ +/ From c332483bf63885eefe97b3f186dd838f7bd20f3b Mon Sep 17 00:00:00 2001 From: Sam Lerner Date: Thu, 16 Jan 2020 11:23:35 -0500 Subject: [PATCH 2/2] Set gen.conf to baseline config. --- gen.conf | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/gen.conf b/gen.conf index 70351b1..658f7e5 100644 --- a/gen.conf +++ b/gen.conf @@ -4,9 +4,10 @@ # You can add your own messages to each rule by appending them after a tab on each line. 10010 WARN (Cookie No HttpOnly Flag) 10011 WARN (Cookie Without Secure Flag) +10012 WARN (Password Autocomplete in Browser) 10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set) 10016 WARN (Web Browser XSS Protection Not Enabled) -10017 IGNORE (Cross-Domain JavaScript Source File Inclusion) +10017 WARN (Cross-Domain JavaScript Source File Inclusion) 10019 WARN (Content-Type Header Missing) 10020 WARN (X-Frame-Options Header Scanner) 10021 WARN (X-Content-Type-Options Header Missing) @@ -17,8 +18,6 @@ 10027 WARN (Information Disclosure - Suspicious Comments) 10032 WARN (Viewstate Scanner) 10040 WARN (Secure Pages Include Mixed Content) -10055 IGNORE (CSP Scanner) -10038 IGNORE (Content Security Policy (CSP) Header Not Set) 10105 WARN (Weak Authentication Method) 10202 WARN (Absence of Anti-CSRF Tokens) 2 WARN (Private IP Disclosure) @@ -29,15 +28,3 @@ 90022 WARN (Application Error Disclosure) 90030 WARN (WSDL File Passive Scanner) 90033 WARN (Loosely Scoped Cookie) - -# Ignore no-cache header warnings on TLS -10015 IGNORE (Incomplete or No Cache-control and Pragma HTTP Header Set) - -# Ignore cached pages that don't initiate a session and don't need CSRF tokens. -# Commenting them out as they are Drupal-specific, and we want a flag to enable them. -#10202 OUTOFSCOPE http://web/ -#10202 OUTOFSCOPE http://web -#10202 OUTOFSCOPE http://web/user/login -#10202 OUTOFSCOPE http://web/user/password -#90022 OUTOFSCOPE http://web/user/login -#10016 OUTOFSCOPE http://web/sitemap.xml