Kinnaird McQuade kmcquade

## requirements.txt
python_terraform==0.10.1

## explanation.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kmcquade
                / explanation.md
            
            
              Last active
              July 25, 2021 17:43
            
          
    This explains a current issue in the ZAP Automation Framework where ZAP will perform tests even when they are explicitly excluded from the scan results - that is, even when you set defaultThreshold (which is supposed to apply as the default for all scan rules) or threshold (rule-specific settings) to 'Off', the checks are still performed.
Instructions


mkdir -p /tmp/zap/
Save the template.yaml YAML file to /tmp/zap/template.yaml
Run these commands to trigger the scan:


## template.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
env:                                   # The environment, mandatory
  contexts :                           # List of 1 or more contexts, mandatory
    - name: context 1                  # Name to be used to refer to this context in other jobs, mandatory
      urls:                            # A mandatory list of top level urls, everything under each url will be included
      - https://public-firing-range.appspot.com/
      includePaths:                    # An optional list of regexes to include
      excludePaths:                    # An optional list of regexes to exclude
      authentication:                  # TBA: In time to cover all auth configs
  vars:                                # List of 1 or more variables, can be used throughout the config

## template.yml
---
# OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env:                                      # The environment, mandatory
  contexts:                               # List of 1 or more contexts, mandatory
    - name: context 1                     # Name to be used to refer to this context in other jobs, mandatory
      url: http://demo.testfire.net             # The top level url, mandatory, everything under this will be included
      includePaths:  # TBA: An optional list of regexes to include
      excludePaths:  # TBA: An optional list of regexes to exclude
      authentication:                     # TBA: In time to cover all auth configs
  parameters:

## zap-template-question.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env:                                      # The environment, mandatory
  contexts:                               # List of 1 or more contexts, mandatory
    - name: context 1                     # Name to be used to refer to this context in other jobs, mandatory
      url: http://demo.testfire.net/             # The top level url, mandatory, everything under this will be included
      includePaths:  # TBA: An optional list of regexes to include
      excludePaths:  # TBA: An optional list of regexes to exclude
      authentication:                     # TBA: In time to cover all auth configs
  parameters:
    failOnError: true                  # If set exit on an error

## original.conf
# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0	WARN	(Directory Browsing - Active/release)
10003	WARN	(Vulnerable JS Library - Passive/release)
10010	WARN	(Cookie No HttpOnly Flag - Passive/release)
10011	WARN	(Cookie Without Secure Flag - Passive/release)
10015	WARN	(Incomplete or No Cache-control Header Set - Passive/release)

## nuke-azure.tf
resource "null_resource" "nuke" {
  # Because we set this to timestamp, it *always* runs :D
  triggers = {
    party_like_its_jan_1_1970 = timestamp()
  }

  provisioner "local-exec" {
    command = <<EOF
for sub in `az account list | jq -r '.[].id'`; do \
    for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \

## nuke-azure.sh
#!/usr/bin/env bash

for sub in `az account list | jq -r '.[].id'`; do \
    for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \
        az group delete --name ${rg} --subscription $sub --no-wait --yes; \
    done; done;

## sensitive-aws-api-calls.json
{
  "Statement": [
    {
      "Action": [
        "appsync:ListApiKeys",
        "chatbot:*",
        "codecommit:GetFile",
        "codecommit:GetCommit",
        "codecommit:GetDifferences",
        "codepipeline:PollForJobs",

## chatbot-iam-policy.json
{
  "Statement": [
    {
      "Action": [
        "appsync:ListApiKeys",
        "chatbot:*",
        "codecommit:GetFile",
        "codecommit:GetCommit",
        "codecommit:GetDifferences",
        "cognito-idp:*",
	--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
	env: # The environment, mandatory
	contexts : # List of 1 or more contexts, mandatory
	- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
	urls: # A mandatory list of top level urls, everything under each url will be included
	- https://public-firing-range.appspot.com/
	includePaths: # An optional list of regexes to include
	excludePaths: # An optional list of regexes to exclude
	authentication: # TBA: In time to cover all auth configs
	vars: # List of 1 or more variables, can be used throughout the config
	---
	# OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
	env: # The environment, mandatory
	contexts: # List of 1 or more contexts, mandatory
	- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
	url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included
	includePaths: # TBA: An optional list of regexes to include
	excludePaths: # TBA: An optional list of regexes to exclude
	authentication: # TBA: In time to cover all auth configs
	parameters:
	# zap-full-scan rule configuration file
	# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
	# Active scan rules set to IGNORE will not be run which will speed up the scan
	# Only the rule identifiers are used - the names are just for info
	# You can add your own messages to each rule by appending them after a tab on each line.
	0 WARN (Directory Browsing - Active/release)
	10003 WARN (Vulnerable JS Library - Passive/release)
	10010 WARN (Cookie No HttpOnly Flag - Passive/release)
	10011 WARN (Cookie Without Secure Flag - Passive/release)
	10015 WARN (Incomplete or No Cache-control Header Set - Passive/release)
	resource "null_resource" "nuke" {
	# Because we set this to timestamp, it always runs :D
	triggers = {
	party_like_its_jan_1_1970 = timestamp()
	}

	provisioner "local-exec" {
	command = <<EOF
	for sub in `az account list \| jq -r '.[].id'`; do \
	for rg in `az group list --subscription $sub \| jq -r '.[].name'`; do \
	#!/usr/bin/env bash

	for sub in `az account list \| jq -r '.[].id'`; do \
	for rg in `az group list --subscription $sub \| jq -r '.[].name'`; do \
	az group delete --name ${rg} --subscription $sub --no-wait --yes; \
	done; done;
	{
	"Statement": [
	{
	"Action": [
	"appsync:ListApiKeys",
	"chatbot:*",
	"codecommit:GetFile",
	"codecommit:GetCommit",
	"codecommit:GetDifferences",
	"codepipeline:PollForJobs",