zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-06 01:35:22 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/src/zap.conf
zandercymatics 372217f3ad
Update zap.conf
2024-12-10 09:08:25 -07:00

187 lines
10 KiB
Text
Raw Blame History

# zap-full-scan rule configuration file
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0 FAIL (Directory Browsing - Active/release)
10003 FAIL (Vulnerable JS Library - Passive/release)
10010 FAIL (Cookie No HttpOnly Flag - Passive/release)
10011 FAIL (Cookie Without Secure Flag - Passive/release)
10015 FAIL (Incomplete or No Cache-control Header Set - Passive/release)
10016 FAIL (Web Browser XSS Protection Not Enabled)
10017 FAIL (Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019 FAIL (Content-Type Header Missing - Passive/release)
10020 FAIL (X-Frame-Options Header - Passive/release)
10021 FAIL (X-Content-Type-Options Header Missing - Passive/release)
# With DEBUG=True Django's internal server serves static files without this
# header, but it is not an issue in production
10021 OUTOFSCOPE http://app:8080/public/.*$
10023 FAIL (Information Disclosure - Debug Error Messages - Passive/release)
# OIDC isn't configured in the test environment and DEBUG=True so the error messages
# trigger this rule in a way that they don't in production
10023 OUTOFSCOPE http://app:8080/openid/login/
10024 FAIL (Information Disclosure - Sensitive Information in URL - Passive/release)
10025 FAIL (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026 FAIL (HTTP Parameter Override - Passive/beta)
10027 FAIL (Information Disclosure - Suspicious Comments - Passive/release)
# Debug toolbar contains the word "from" which is a false positive and also
# it isn't installed in production (see word list at https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/zapHomeFiles/xml/suspicious-comments.txt)
10027 OUTOFSCOPE http://app:8080/public/debug_toolbar/js/toolbar.js
# USWDS.min.js contains suspicious words "query", "select", "from" in ordinary usage
10027 OUTOFSCOPE http://app:8080/public/js/uswds.min.js
# UNCLEAR WHY THIS ONE IS FAILING. Giving 404 error.
10027 OUTOFSCOPE http://app:8080/public/js/uswds-init.min.js
# getgov.min.js contains suspicious word "from" as in `Array.from()`
10027 OUTOFSCOPE http://app:8080/public/js/getgov.min.js
# Ignores suspicious word "TODO"
10027 OUTOFSCOPE http://app:8080.*$
10028 FAIL (Open Redirect - Passive/beta)
10029 FAIL (Cookie Poisoning - Passive/beta)
10030 FAIL (User Controllable Charset - Passive/beta)
10031 FAIL (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032 FAIL (Viewstate - Passive/release)
10033 FAIL (Directory Browsing - Passive/beta)
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035 FAIL (Strict-Transport-Security Header - Passive/beta)
10036 FAIL (HTTP Server Response Header - Passive/beta)
# With DEBUG=True Django's internal server sends the Server header, but
# it is not an issue in production
10036 OUTOFSCOPE http://app:8080.*$
10037 FAIL (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038 FAIL (Content Security Policy (CSP) Header Not Set - Passive/beta)
# With DEBUG=True, Django sends a 404 page without the CSP headers. This isn't true on production
# For URLs that Zap gets that aren't present in the test environment, skip this false positive
10038 OUTOFSCOPE http://app:8080/public/img/.*
10038 OUTOFSCOPE http://app:8080/public/css/.*
10038 OUTOFSCOPE http://app:8080/public/js/.*
10038 OUTOFSCOPE http://app:8080/(robots.txt|sitemap.xml|TODO|edit/)
10038 OUTOFSCOPE http://app:8080/users
10038 OUTOFSCOPE http://app:8080/users/add
10038 OUTOFSCOPE http://app:8080/nameservers
10038 OUTOFSCOPE http://app:8080/your-contact-information
10038 OUTOFSCOPE http://app:8080/senior-official
10038 OUTOFSCOPE http://app:8080/security-email
10038 OUTOFSCOPE http://app:8080/delete
10038 OUTOFSCOPE http://app:8080/withdraw
10038 OUTOFSCOPE http://app:8080/withdrawconfirmed
10038 OUTOFSCOPE http://app:8080/dns
10038 OUTOFSCOPE http://app:8080/dnssec
10038 OUTOFSCOPE http://app:8080/dns/nameservers
10038 OUTOFSCOPE http://app:8080/dns/dnssec
10038 OUTOFSCOPE http://app:8080/dns/dnssec/dsdata
10038 OUTOFSCOPE http://app:8080/org-name-address
10038 OUTOFSCOPE http://app:8080/domain_requests/
10038 OUTOFSCOPE http://app:8080/domains/
10038 OUTOFSCOPE http://app:8080/organization/
10038 OUTOFSCOPE http://app:8080/permissions
10038 OUTOFSCOPE http://app:8080/suborganization/
10038 OUTOFSCOPE http://app:8080/transfer/
10038 OUTOFSCOPE http://app:8080/prototype-dns
# This URL always returns 404, so include it as well.
10038 OUTOFSCOPE http://app:8080/todo
# OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers
10038 OUTOFSCOPE http://app:8080/openid/login/
10038 OUTOFSCOPE http://app:8080/openid/logout/
10039 FAIL (X-Backend-Server Header Information Leak - Passive/beta)
10040 FAIL (Secure Pages Include Mixed Content - Passive/release)
10041 FAIL (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042 FAIL (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043 FAIL (User Controllable JavaScript Event (XSS) - Passive/beta)
10044 FAIL (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045 FAIL (Source Code Disclosure - /WEB-INF folder - Active/release)
10047 FAIL (HTTPS Content Available via HTTP - Active/beta)
10048 FAIL (Remote Code Execution - Shell Shock - Active/beta)
10050 FAIL (Retrieved from Cache - Passive/beta)
10051 FAIL (Relative Path Confusion - Active/beta)
10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053 FAIL (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054 FAIL (Cookie without SameSite Attribute - Passive/release)
10055 FAIL (CSP - Passive/release)
10056 FAIL (X-Debug-Token Information Leak - Passive/release)
10057 FAIL (Username Hash Found - Passive/release)
10058 FAIL (GET for POST - Active/beta)
10061 FAIL (X-AspNet-Version Response Header - Passive/release)
10062 FAIL (PII Disclosure - Passive/beta)
10095 FAIL (Backup File Disclosure - Active/beta)
10096 FAIL (Timestamp Disclosure - Passive/release)
# Our sortable table of domains uses timestamps as sort keys so this appears as
# a false-positive to the OWASP scanner
10096 OUTOFSCOPE http://app:8080
10096 OUTOFSCOPE http://app:8080/
10097 FAIL (Hash Disclosure - Passive/beta)
10098 FAIL (Cross-Domain Misconfiguration - Passive/release)
10104 FAIL (User Agent Fuzzer - Active/beta)
10105 FAIL (Weak Authentication Method - Passive/release)
10106 FAIL (HTTP Only Site - Active/beta)
10107 FAIL (Httpoxy - Proxy Header Misuse - Active/beta)
10108 FAIL (Reverse Tabnabbing - Passive/beta)
10109 FAIL (Modern Web Application - Passive/beta)
# With DEBUG=True Django's debug toolbar uses <a href="#"> links which triggers this rule
# The debug toolbar doesn't run in production
10109 OUTOFSCOPE http://app:8080.*
10202 FAIL (Absence of Anti-CSRF Tokens - Passive/release)
2 FAIL (Private IP Disclosure - Passive/release)
20012 FAIL (Anti-CSRF Tokens Check - Active/beta)
20014 FAIL (HTTP Parameter Pollution - Active/beta)
20015 FAIL (Heartbleed OpenSSL Vulnerability - Active/beta)
20016 FAIL (Cross-Domain Misconfiguration - Active/beta)
20017 FAIL (Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta)
20019 FAIL (External Redirect - Active/release)
3 FAIL (Session ID in URL Rewrite - Passive/release)
30001 FAIL (Buffer Overflow - Active/release)
30002 FAIL (Format String Error - Active/release)
30003 FAIL (Integer Overflow Error - Active/beta)
40003 FAIL (CRLF Injection - Active/release)
40008 FAIL (Parameter Tampering - Active/release)
40009 FAIL (Server Side Include - Active/release)
40012 FAIL (Cross Site Scripting (Reflected) - Active/release)
40013 FAIL (Session Fixation - Active/beta)
40014 FAIL (Cross Site Scripting (Persistent) - Active/release)
40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release)
40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release)
40018 FAIL (SQL Injection - Active/release)
40019 FAIL (SQL Injection - MySQL - Active/beta)
40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta)
40021 FAIL (SQL Injection - Oracle - Active/beta)
40022 FAIL (SQL Injection - PostgreSQL - Active/beta)
40023 FAIL (Possible Username Enumeration - Active/beta)
40024 FAIL (SQL Injection - SQLite - Active/beta)
40025 FAIL (Proxy Disclosure - Active/beta)
40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta)
40027 FAIL (SQL Injection - MsSQL - Active/beta)
40028 FAIL (ELMAH Information Leak - Active/release)
40029 FAIL (Trace.axd Information Leak - Active/beta)
40032 FAIL (.htaccess Information Leak - Active/release)
40034 FAIL (.env Information Leak - Active/beta)
40035 FAIL (Hidden File Finder - Active/beta)
41 FAIL (Source Code Disclosure - Git - Active/beta)
42 FAIL (Source Code Disclosure - SVN - Active/beta)
43 FAIL (Source Code Disclosure - File Inclusion - Active/beta)
50000 FAIL (Script Active Scan Rules - Active/release)
50001 FAIL (Script Passive Scan Rules - Passive/release)
6 FAIL (Path Traversal - Active/release)
7 FAIL (Remote File Inclusion - Active/release)
90001 FAIL (Insecure JSF ViewState - Passive/release)
90011 FAIL (Charset Mismatch - Passive/release)
90017 FAIL (XSLT Injection - Active/beta)
90019 FAIL (Server Side Code Injection - Active/release)
90020 FAIL (Remote OS Command Injection - Active/release)
90021 FAIL (XPath Injection - Active/beta)
90022 FAIL (Application Error Disclosure - Passive/release)
# OIDC isn't configured in the test environment and DEBUG=True so these error pages
# trigger this rule in a way that they won't in production
90022 OUTOFSCOPE http://app:8080/openid/login/
90022 OUTOFSCOPE http://app:8080/openid/logout/
90023 FAIL (XML External Entity Attack - Active/beta)
90024 FAIL (Generic Padding Oracle - Active/beta)
90025 FAIL (Expression Language Injection - Active/beta)
90026 FAIL (SOAP Action Spoofing - Active/alpha)
90027 FAIL (Cookie Slack Detector - Active/beta)
90028 FAIL (Insecure HTTP Method - Active/beta)
90029 FAIL (SOAP XML Injection - Active/alpha)
90030 FAIL (WSDL File Detection - Passive/alpha)
90033 FAIL (Loosely Scoped Cookie - Passive/release)
# With DEBUG=True Django's internal server returns a Set-Cookie header that appears
# to trigger this rule even though it has no domain scope. And the cookie header
# isn't sent this way on production
90033 OUTOFSCOPE http://app:8080.*$
90034 FAIL (Cloud Metadata Potentially Exposed - Active/beta)
Reference in a new issue View git blame Copy permalink