Skip to content

Instantly share code, notes, and snippets.

Avatar

Kinnaird McQuade kmcquade

View GitHub Profile
View explanation.md

This explains a current issue in the ZAP Automation Framework where ZAP will perform tests even when they are explicitly excluded from the scan results - that is, even when you set defaultThreshold (which is supposed to apply as the default for all scan rules) or threshold (rule-specific settings) to 'Off', the checks are still performed.

Instructions

  • mkdir -p /tmp/zap/
  • Save the template.yaml YAML file to /tmp/zap/template.yaml
  • Run these commands to trigger the scan:
@kmcquade
kmcquade / template.yaml
Created Jul 17, 2021
ZAP Automation Template example - works with v0.4, runs against Google firing range
View template.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
- https://public-firing-range.appspot.com/
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
vars: # List of 1 or more variables, can be used throughout the config
@kmcquade
kmcquade / template.yml
Created Jun 23, 2021
2021-06-23: ZAP Automation Framework troubleshooting
View template.yml
---
# OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env: # The environment, mandatory
contexts: # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included
includePaths: # TBA: An optional list of regexes to include
excludePaths: # TBA: An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
parameters:
View zap-template.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env: # The environment, mandatory
contexts: # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included
includePaths: # TBA: An optional list of regexes to include
excludePaths: # TBA: An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
parameters:
failOnError: true # If set exit on an error
View zap-template-question.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env: # The environment, mandatory
contexts: # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
url: http://demo.testfire.net/ # The top level url, mandatory, everything under this will be included
includePaths: # TBA: An optional list of regexes to include
excludePaths: # TBA: An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
parameters:
failOnError: true # If set exit on an error
@kmcquade
kmcquade / original.conf
Last active May 15, 2021
ZAP Full scan config
View original.conf
# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0 WARN (Directory Browsing - Active/release)
10003 WARN (Vulnerable JS Library - Passive/release)
10010 WARN (Cookie No HttpOnly Flag - Passive/release)
10011 WARN (Cookie Without Secure Flag - Passive/release)
10015 WARN (Incomplete or No Cache-control Header Set - Passive/release)
View nuke-azure.tf
resource "null_resource" "nuke" {
# Because we set this to timestamp, it *always* runs :D
triggers = {
party_like_its_jan_1_1970 = timestamp()
}
provisioner "local-exec" {
command = <<EOF
for sub in `az account list | jq -r '.[].id'`; do \
for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \
View nuke-azure.sh
#!/usr/bin/env bash
for sub in `az account list | jq -r '.[].id'`; do \
for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \
az group delete --name ${rg} --subscription $sub --no-wait --yes; \
done; done;
View sensitive-aws-api-calls.json
{
"Statement": [
{
"Action": [
"appsync:ListApiKeys",
"chatbot:*",
"codecommit:GetFile",
"codecommit:GetCommit",
"codecommit:GetDifferences",
"codepipeline:PollForJobs",
View chatbot-iam-policy.json
{
"Statement": [
{
"Action": [
"appsync:ListApiKeys",
"chatbot:*",
"codecommit:GetFile",
"codecommit:GetCommit",
"codecommit:GetDifferences",
"cognito-idp:*",