Created
July 17, 2021 22:14
-
-
Save kmcquade/0b1a328921d11e062f00232a34628dca to your computer and use it in GitHub Desktop.
ZAP Automation Template example - works with v0.4, runs against Google firing range
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/ | |
| env: # The environment, mandatory | |
| contexts : # List of 1 or more contexts, mandatory | |
| - name: context 1 # Name to be used to refer to this context in other jobs, mandatory | |
| urls: # A mandatory list of top level urls, everything under each url will be included | |
| - https://public-firing-range.appspot.com/ | |
| includePaths: # An optional list of regexes to include | |
| excludePaths: # An optional list of regexes to exclude | |
| authentication: # TBA: In time to cover all auth configs | |
| vars: # List of 1 or more variables, can be used throughout the config | |
| parameters: | |
| failOnError: true # If set exit on an error | |
| failOnWarning: false # If set exit on a warning | |
| progressToStdout: true # If set will write job progress to stdout | |
| jobs: | |
| - type: addOns # Add-on management | |
| parameters: | |
| updateAddOns: false # Update any add-ons that have new versions | |
| install: # A list of non standard add-ons to install from the ZAP Marketplace | |
| uninstall: # A list of standard add-ons to uninstall | |
| # Passive scan templates | |
| # Spider templates | |
| - type: spider # The traditional spider - fast but doesnt handle modern apps so well | |
| parameters: | |
| context: # String: Name of the context to spider, default: first context | |
| url: # String: Url to start spidering from, default: first context URL | |
| userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one | |
| maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited | |
| maxDepth: # Int: The maximum tree depth to explore | |
| maxChildren: # Int: The maximum number of children to add to each node in the tree | |
| tests: | |
| - name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value | |
| type: 'stats' # String: Type of test, only 'stats' is supported for now | |
| statistic: 'automation.spider.urls.added' # String: Name of an integer / long statistic, currently supported: 'automation.spider.urls.added' | |
| operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing | |
| value: 100 # Int: Change this to the number of URLs you expect to find | |
| onFail: 'info' # String [warn, error, info]: Change this to 'warn' or 'error' for the test to take effect | |
| # API scan templates | |
| # Active scan templates | |
| - type: activeScan # The active scanner - this actively attacks the target so should only be used with permission | |
| parameters: | |
| context: # String: Name of the context to attack, default: first context | |
| policy: # String: Name of the scan policy to be used, default: Default Policy | |
| maxRuleDurationInMins: 10 # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited | |
| maxScanDurationInMins: 10 # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimiteds | |
| delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0 | |
| policyDefinition: # The policy definition - only used if the 'policy' is not set | |
| defaultStrength: Low # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium | |
| defaultThreshold: Low # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium | |
| rules: # A list of one or more active scan rules and associated settings which override the defaults | |
| - id: 40018 | |
| threshold: Low | |
| strength: Medium | |
| # Output templates | |
| - type: outputSummary # Print summary to stdout, primarily to mimic the behaviour of the packaged scans | |
| parameters: | |
| format: None # String: The format of the output, one of None, Short, Long, default: None | |
| summaryFile: # String: The full path of a file into which will be written a JSON summary of the scan, default empty | |
| - type: report # Report generation | |
| parameters: | |
| template: traditional-json # String: The template id, default : traditional-html | |
| reportDir: /tmp/zap/ # String: The directory into which the report will be written | |
| reportFile: # String: The report file name pattern, default: {yyyy-MM-dd}-ZAP-Report-[[site]] | |
| reportTitle: # String: The report title | |
| reportDescription: # String: The report description | |
| displayReport: # Boolean: Display the report when generated, default: false | |
| risks: # List: The risks to include in this report, default all | |
| - high | |
| - medium | |
| - low | |
| - info | |
| confidences: # List: The confidences to include in this report, default all | |
| - high | |
| - medium | |
| - low | |
| - falsepositive | |
| sections: # List: The template sections to include in this report - see the relevant template, default all |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment