This explains a current issue in the ZAP Automation Framework where ZAP will perform tests even when they are explicitly excluded from the scan results - that is, even when you set defaultThreshold
(which is supposed to apply as the default for all scan rules) or threshold
(rule-specific settings) to 'Off', the checks are still performed.
mkdir -p /tmp/zap/
- Save the
template.yaml
YAML file to/tmp/zap/template.yaml
- Run these commands to trigger the scan:
alias zap-docker="docker run -v $(pwd):/zap/wrk/:rw -v /tmp/zap:/tmp/zap/:rw -t owasp/zap2docker-weekly"
zap-docker zap.sh -cmd -autorun /tmp/zap/template.yaml -dir /tmp/zap -quickprogress
- This will generate a file at the path:
/tmp/zap/2021-07-25-ZAP-Report-zero.webappsecurity.com.json
- Open the file in your text editor of choice
- Observe that the findings Anti-CSRF Tokens Check, Hidden File Finder, Proxy Disclosure, and User Agent Fuzzer are all included in the results.
- Also observe that the above mentioned findings are marked with
Off
threshold in the YAML automation template above, so they should not be in the results
- Also observe that the above mentioned findings are marked with
- The results should only show Expression Language Injection, not the other stuff mentioned above
I've included the JSON results here as well so you can see what I mean (see zap-results.json
)