Skip to content

Instantly share code, notes, and snippets.

@kmcquade

kmcquade/original.conf

Last active May 15, 2021
Embed
What would you like to do?
ZAP Full scan config
# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0 WARN (Directory Browsing - Active/release)
10003 WARN (Vulnerable JS Library - Passive/release)
10010 WARN (Cookie No HttpOnly Flag - Passive/release)
10011 WARN (Cookie Without Secure Flag - Passive/release)
10015 WARN (Incomplete or No Cache-control Header Set - Passive/release)
10017 WARN (Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019 WARN (Content-Type Header Missing - Passive/release)
10020 WARN (X-Frame-Options Header - Passive/release)
10021 WARN (X-Content-Type-Options Header Missing - Passive/release)
10023 WARN (Information Disclosure - Debug Error Messages - Passive/release)
10024 WARN (Information Disclosure - Sensitive Information in URL - Passive/release)
10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026 WARN (HTTP Parameter Override - Passive/beta)
10027 WARN (Information Disclosure - Suspicious Comments - Passive/release)
10028 WARN (Open Redirect - Passive/beta)
10029 WARN (Cookie Poisoning - Passive/beta)
10030 WARN (User Controllable Charset - Passive/beta)
10031 WARN (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032 WARN (Viewstate - Passive/release)
10033 WARN (Directory Browsing - Passive/beta)
10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035 WARN (Strict-Transport-Security Header - Passive/beta)
10036 WARN (HTTP Server Response Header - Passive/beta)
10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038 WARN (Content Security Policy (CSP) Header Not Set - Passive/beta)
10039 WARN (X-Backend-Server Header Information Leak - Passive/beta)
10040 WARN (Secure Pages Include Mixed Content - Passive/release)
10041 WARN (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042 WARN (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043 WARN (User Controllable JavaScript Event (XSS) - Passive/beta)
10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045 WARN (Source Code Disclosure - /WEB-INF folder - Active/release)
10047 WARN (HTTPS Content Available via HTTP - Active/beta)
10048 WARN (Remote Code Execution - Shell Shock - Active/beta)
10050 WARN (Retrieved from Cache - Passive/beta)
10051 WARN (Relative Path Confusion - Active/beta)
10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053 WARN (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054 WARN (Cookie Without SameSite Attribute - Passive/release)
10055 WARN (CSP - Passive/release)
10056 WARN (X-Debug-Token Information Leak - Passive/release)
10057 WARN (Username Hash Found - Passive/release)
10058 WARN (GET for POST - Active/beta)
10061 WARN (X-AspNet-Version Response Header - Passive/release)
10062 WARN (PII Disclosure - Passive/beta)
10095 WARN (Backup File Disclosure - Active/beta)
10096 WARN (Timestamp Disclosure - Passive/release)
10097 WARN (Hash Disclosure - Passive/beta)
10098 WARN (Cross-Domain Misconfiguration - Passive/release)
10104 WARN (User Agent Fuzzer - Active/beta)
10105 WARN (Weak Authentication Method - Passive/release)
10106 WARN (HTTP Only Site - Active/beta)
10107 WARN (Httpoxy - Proxy Header Misuse - Active/beta)
10108 WARN (Reverse Tabnabbing - Passive/beta)
10109 WARN (Modern Web Application - Passive/beta)
10202 WARN (Absence of Anti-CSRF Tokens - Passive/release)
2 WARN (Private IP Disclosure - Passive/release)
20012 WARN (Anti-CSRF Tokens Check - Active/beta)
20014 WARN (HTTP Parameter Pollution - Active/beta)
20015 WARN (Heartbleed OpenSSL Vulnerability - Active/beta)
20016 WARN (Cross-Domain Misconfiguration - Active/beta)
20017 WARN (Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018 WARN (Remote Code Execution - CVE-2012-1823 - Active/beta)
20019 WARN (External Redirect - Active/release)
3 WARN (Session ID in URL Rewrite - Passive/release)
30001 WARN (Buffer Overflow - Active/release)
30002 WARN (Format String Error - Active/release)
30003 WARN (Integer Overflow Error - Active/beta)
40003 WARN (CRLF Injection - Active/release)
40008 WARN (Parameter Tampering - Active/release)
40009 WARN (Server Side Include - Active/release)
40012 WARN (Cross Site Scripting (Reflected) - Active/release)
40013 WARN (Session Fixation - Active/beta)
40014 WARN (Cross Site Scripting (Persistent) - Active/release)
40016 WARN (Cross Site Scripting (Persistent) - Prime - Active/release)
40017 WARN (Cross Site Scripting (Persistent) - Spider - Active/release)
40018 WARN (SQL Injection - Active/release)
40019 WARN (SQL Injection - MySQL - Active/beta)
40020 WARN (SQL Injection - Hypersonic SQL - Active/beta)
40021 WARN (SQL Injection - Oracle - Active/beta)
40022 WARN (SQL Injection - PostgreSQL - Active/beta)
40023 WARN (Possible Username Enumeration - Active/beta)
40024 WARN (SQL Injection - SQLite - Active/beta)
40025 WARN (Proxy Disclosure - Active/beta)
40026 WARN (Cross Site Scripting (DOM Based) - Active/beta)
40027 WARN (SQL Injection - MsSQL - Active/beta)
40028 WARN (ELMAH Information Leak - Active/release)
40029 WARN (Trace.axd Information Leak - Active/beta)
40032 WARN (.htaccess Information Leak - Active/release)
40034 WARN (.env Information Leak - Active/beta)
40035 WARN (Hidden File Finder - Active/beta)
41 WARN (Source Code Disclosure - Git - Active/beta)
42 WARN (Source Code Disclosure - SVN - Active/beta)
43 WARN (Source Code Disclosure - File Inclusion - Active/beta)
50000 WARN (Script Active Scan Rules - Active/release)
50001 WARN (Script Passive Scan Rules - Passive/release)
6 WARN (Path Traversal - Active/release)
7 WARN (Remote File Inclusion - Active/release)
90001 WARN (Insecure JSF ViewState - Passive/release)
90011 WARN (Charset Mismatch - Passive/release)
90017 WARN (XSLT Injection - Active/beta)
90019 WARN (Server Side Code Injection - Active/release)
90020 WARN (Remote OS Command Injection - Active/release)
90021 WARN (XPath Injection - Active/beta)
90022 WARN (Application Error Disclosure - Passive/release)
90023 WARN (XML External Entity Attack - Active/beta)
90024 WARN (Generic Padding Oracle - Active/beta)
90025 WARN (Expression Language Injection - Active/beta)
90026 WARN (SOAP Action Spoofing - Active/alpha)
90027 WARN (Cookie Slack Detector - Active/beta)
90028 WARN (Insecure HTTP Method - Active/beta)
90029 WARN (SOAP XML Injection - Active/alpha)
90030 WARN (WSDL File Detection - Passive/alpha)
90033 WARN (Loosely Scoped Cookie - Passive/release)
90034 WARN (Cloud Metadata Potentially Exposed - Active/beta)
# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0 WARN (Directory Browsing - Active/release)
10003 IGNORE (Vulnerable JS Library - Passive/release)
10010 IGNORE (Cookie No HttpOnly Flag - Passive/release)
10011 IGNORE (Cookie Without Secure Flag - Passive/release)
10015 IGNORE (Incomplete or No Cache-control Header Set - Passive/release)
10017 IGNORE (Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019 IGNORE (Content-Type Header Missing - Passive/release)
10020 IGNORE (X-Frame-Options Header - Passive/release)
10021 IGNORE (X-Content-Type-Options Header Missing - Passive/release)
10023 IGNORE (Information Disclosure - Debug Error Messages - Passive/release)
10024 IGNORE (Information Disclosure - Sensitive Information in URL - Passive/release)
10025 IGNORE (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026 IGNORE (HTTP Parameter Override - Passive/beta)
10027 IGNORE (Information Disclosure - Suspicious Comments - Passive/release)
10028 IGNORE (Open Redirect - Passive/beta)
10029 IGNORE (Cookie Poisoning - Passive/beta)
10030 IGNORE (User Controllable Charset - Passive/beta)
10031 IGNORE (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032 IGNORE (Viewstate - Passive/release)
10033 IGNORE (Directory Browsing - Passive/beta)
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035 IGNORE (Strict-Transport-Security Header - Passive/beta)
10036 IGNORE (HTTP Server Response Header - Passive/beta)
10037 IGNORE (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038 IGNORE (Content Security Policy (CSP) Header Not Set - Passive/beta)
10039 IGNORE (X-Backend-Server Header Information Leak - Passive/beta)
10040 IGNORE (Secure Pages Include Mixed Content - Passive/release)
10041 IGNORE (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042 IGNORE (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043 IGNORE (User Controllable JavaScript Event (XSS) - Passive/beta)
10044 IGNORE (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045 IGNORE (Source Code Disclosure - /WEB-INF folder - Active/release)
10047 IGNORE (HTTPS Content Available via HTTP - Active/beta)
10048 IGNORE (Remote Code Execution - Shell Shock - Active/beta)
10050 IGNORE (Retrieved from Cache - Passive/beta)
10051 IGNORE (Relative Path Confusion - Active/beta)
10052 IGNORE (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053 IGNORE (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054 IGNORE (Cookie Without SameSite Attribute - Passive/release)
10055 IGNORE (CSP - Passive/release)
10056 IGNORE (X-Debug-Token Information Leak - Passive/release)
10057 IGNORE (Username Hash Found - Passive/release)
10058 IGNORE (GET for POST - Active/beta)
10061 IGNORE (X-AspNet-Version Response Header - Passive/release)
10062 IGNORE (PII Disclosure - Passive/beta)
10095 IGNORE (Backup File Disclosure - Active/beta)
10096 IGNORE (Timestamp Disclosure - Passive/release)
10097 IGNORE (Hash Disclosure - Passive/beta)
10098 IGNORE (Cross-Domain Misconfiguration - Passive/release)
10104 IGNORE (User Agent Fuzzer - Active/beta)
10105 IGNORE (Weak Authentication Method - Passive/release)
10106 IGNORE (HTTP Only Site - Active/beta)
10107 IGNORE (Httpoxy - Proxy Header Misuse - Active/beta)
10108 IGNORE (Reverse Tabnabbing - Passive/beta)
10109 IGNORE (Modern Web Application - Passive/beta)
10202 IGNORE (Absence of Anti-CSRF Tokens - Passive/release)
2 IGNORE (Private IP Disclosure - Passive/release)
20012 IGNORE (Anti-CSRF Tokens Check - Active/beta)
20014 IGNORE (HTTP Parameter Pollution - Active/beta)
20015 FAIL (Heartbleed OpenSSL Vulnerability - Active/beta)
20016 IGNORE (Cross-Domain Misconfiguration - Active/beta)
20017 IGNORE (Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta)
20019 IGNORE (External Redirect - Active/release)
3 IGNORE (Session ID in URL Rewrite - Passive/release)
30001 FAIL (Buffer Overflow - Active/release)
30002 FAIL (Format String Error - Active/release)
30003 FAIL (Integer Overflow Error - Active/beta)
40003 IGNORE (CRLF Injection - Active/release)
40008 FAIL (Parameter Tampering - Active/release)
40009 IGNORE (Server Side Include - Active/release)
40012 FAIL (Cross Site Scripting (Reflected) - Active/release)
40013 IGNORE (Session Fixation - Active/beta)
40014 FAIL (Cross Site Scripting (Persistent) - Active/release)
40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release)
40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release)
40018 FAIL (SQL Injection - Active/release)
40019 FAIL (SQL Injection - MySQL - Active/beta)
40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta)
40021 FAIL (SQL Injection - Oracle - Active/beta)
40022 FAIL (SQL Injection - PostgreSQL - Active/beta)
40023 IGNORE (Possible Username Enumeration - Active/beta)
40024 FAIL (SQL Injection - SQLite - Active/beta)
40025 FAIL (Proxy Disclosure - Active/beta)
40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta)
40027 FAIL (SQL Injection - MsSQL - Active/beta)
40028 IGNORE (ELMAH Information Leak - Active/release)
40029 IGNORE (Trace.axd Information Leak - Active/beta)
40032 IGNORE (.htaccess Information Leak - Active/release)
40034 IGNORE (.env Information Leak - Active/beta)
40035 IGNORE (Hidden File Finder - Active/beta)
41 IGNORE (Source Code Disclosure - Git - Active/beta)
42 IGNORE (Source Code Disclosure - SVN - Active/beta)
43 IGNORE (Source Code Disclosure - File Inclusion - Active/beta)
50000 WARN (Script Active Scan Rules - Active/release)
50001 WARN (Script Passive Scan Rules - Passive/release)
6 IGNORE (Path Traversal - Active/release)
7 IGNORE (Remote File Inclusion - Active/release)
90001 IGNORE (Insecure JSF ViewState - Passive/release)
90011 IGNORE (Charset Mismatch - Passive/release)
90017 FAIL (XSLT Injection - Active/beta)
90019 FAIL (Server Side Code Injection - Active/release)
90020 FAIL (Remote OS Command Injection - Active/release)
90021 FAIL (XPath Injection - Active/beta)
90022 IGNORE (Application Error Disclosure - Passive/release)
90023 FAIL (XML External Entity Attack - Active/beta)
90024 FAIL (Generic Padding Oracle - Active/beta)
90025 FAIL (Expression Language Injection - Active/beta)
90026 FAIL (SOAP Action Spoofing - Active/alpha)
90027 FAIL (Cookie Slack Detector - Active/beta)
90028 WARN (Insecure HTTP Method - Active/beta)
90029 FAIL (SOAP XML Injection - Active/alpha)
90030 FAIL (WSDL File Detection - Passive/alpha)
90033 IGNORE (Loosely Scoped Cookie - Passive/release)
90034 FAIL (Cloud Metadata Potentially Exposed - Active/beta)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment