I have started working with OWASPZAP (Manual Scans) and till now the learning and simultaneous execution had been exciting.
I did a Passive Scan on our Application and have found 3 Alerts and have interpreted the Description / OtherInfo / Solution / Reference which are as follows:
X-Frame-Options Header Not Set: (Risk: Medium, Confidence: Medium, Parameter: X-Frame-Options)Web Browser XSS Protection Not Enabled: (Risk: Low, Confidence: Medium, Parameter: X-XSS-Protection)X-Content-Type-Options Header Missing: (Risk: Low, Confidence: Medium, Parameter: X-Content-Type-Options)
My questions are:
- Is there a way to know about the type of scans OWASPZAP would perform before the Scan starts?
- Are the Scans (Manual) configurable?
- Is there any documentation on the types of scans OWASPZAP (manual) performs?
Note: Of-coarse the question directly involve tools (e.g. OWASPZAP) used primarily for programming.
There's a wiki page that covers "ZAPping the top 10"
There are a number of help pages available with descriptions of the various scan rules or plugins: Active Scan:
Passive Scan:
You can create a Standalone script to run within ZAP to get the details of Active Scanners: https://github.com/zaproxy/community-scripts/blob/master/standalone/Active%20scan%20rule%20list.js. Using a weekly release (newer than early March 2018) or the next stable release (2.8.0 or whatever) you'll be able to do something similar for passive scan rules leveraging
ExtensionPassiveScan.getPluginPassiveScanners()Creating Active Scan Policy(ies) can be done via the Scan Policy Manager Dialog. Active Scan policies can be saved, exported, and imported.
Enabled/disabling Passive Scan rules can be done via the Options Passive Scan Rules screen. (A Passive Scan "policy" can be established programmatically as discussed here -> https://stackoverflow.com/a/51288461/7718222)