github.com/kubeshop/testkube@v1.17.23/contrib/executor/zap/examples/zap-tk-api.conf

github.com/kubeshop/testkube@v1.17.23/contrib/executor/zap/examples/zap-tk-api.conf (about)

     1  # zap-api-scan rule configuration file
     2  # Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
     3  # Active scan rules set to IGNORE will not be run which will speed up the scan
     4  # Only the rule identifiers are used - the names are just for info
     5  # You can add your own messages to each rule by appending them after a tab on each line.
     6  0   WARN	(Directory Browsing - Active/release)
     7  10010	WARN	(Cookie No HttpOnly Flag - Passive/release)
     8  10011	WARN	(Cookie Without Secure Flag - Passive/release)
     9  10012	WARN	(Password Autocomplete in Browser - Passive/release)
    10  10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set - Passive/release)
    11  10016	WARN	(Web Browser XSS Protection Not Enabled - Passive/release)
    12  10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
    13  10019	WARN	(Content-Type Header Missing - Passive/release)
    14  10020	WARN	(X-Frame-Options Header Scanner - Passive/release)
    15  10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
    16  10023	WARN	(Information Disclosure - Debug Error Messages - Passive/beta)
    17  10024	WARN	(Information Disclosure - Sensitive Informations in URL - Passive/beta)
    18  10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/beta)
    19  10026	WARN	(HTTP Parameter Override - Passive/beta)
    20  10027	WARN	(Information Disclosure - Suspicious Comments - Passive/beta)
    21  10032	WARN	(Viewstate Scanner - Passive/beta)
    22  10040	WARN	(Secure Pages Include Mixed Content - Passive/release)
    23  10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/beta)
    24  10048	WARN	(Remote Code Execution - Shell Shock - Active/beta)
    25  10095	WARN	(Backup File Disclosure - Active/beta)
    26  10105	WARN	(Weak Authentication Method - Passive/beta)
    27  10202	WARN	(Absence of Anti-CSRF Tokens - Passive/beta)
    28  2   WARN	(Private IP Disclosure - Passive/release)
    29  20012	WARN	(Anti CSRF Tokens Scanner - Active/beta)
    30  20014	WARN	(HTTP Parameter Pollution scanner - Active/beta)
    31  20015	WARN	(Heartbleed OpenSSL Vulnerability - Active/beta)
    32  20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
    33  20017	WARN	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
    34  20018	WARN	(Remote Code Execution - CVE-2012-1823 - Active/beta)
    35  20019	WARN	(External Redirect - Active/release)
    36  3   WARN	(Session ID in URL Rewrite - Passive/release)
    37  30001	WARN	(Buffer Overflow - Active/release)
    38  30002	WARN	(Format String Error - Active/release)
    39  30003	WARN	(Integer Overflow Error - Active/beta)
    40  40003	WARN	(CRLF Injection - Active/release)
    41  40008	WARN	(Parameter Tampering - Active/release)
    42  40009	WARN	(Server Side Include - Active/release)
    43  40012	WARN	(Cross Site Scripting (Reflected) - Active/release)
    44  40013	WARN	(Session Fixation - Active/beta)
    45  40014	WARN	(Cross Site Scripting (Persistent) - Active/release)
    46  40016	WARN	(Cross Site Scripting (Persistent) - Prime - Active/release)
    47  40017	WARN	(Cross Site Scripting (Persistent) - Spider - Active/release)
    48  40018	WARN	(SQL Injection - Active/release)
    49  40019	WARN	(SQL Injection - MySQL - Active/beta)
    50  40020	WARN	(SQL Injection - Hypersonic SQL - Active/beta)
    51  40021	WARN	(SQL Injection - Oracle - Active/beta)
    52  40022	WARN	(SQL Injection - PostgreSQL - Active/beta)
    53  40023	WARN	(Possible Username Enumeration - Active/beta)
    54  42  WARN	(Source Code Disclosure - SVN - Active/beta)
    55  50000	WARN	(Script Active Scan Rules - Active/release)
    56  50001	WARN	(Script Passive Scan Rules - Passive/release)
    57  6   WARN	(Path Traversal - Active/release)
    58  7   WARN	(Remote File Inclusion - Active/release)
    59  90001	WARN	(Insecure JSF ViewState - Passive/beta)
    60  90011	WARN	(Charset Mismatch - Passive/beta)
    61  90019	WARN	(Server Side Code Injection - Active/release)
    62  90020	WARN	(Remote OS Command Injection - Active/release)
    63  90021	WARN	(XPath Injection - Active/beta)
    64  90022	WARN	(Application Error Disclosure - Passive/release)
    65  90023	WARN	(XML External Entity Attack - Active/beta)
    66  90024	WARN	(Generic Padding Oracle - Active/beta)
    67  90025	WARN	(Expression Language Injection - Active/beta)
    68  90026	WARN	(SOAP Action Spoofing - Active/alpha)
    69  90028	WARN	(Insecure HTTP Method - Active/beta)
    70  90029	WARN	(SOAP XML Injection - Active/alpha)
    71  90030	WARN	(WSDL File Passive Scanner - Passive/alpha)
    72  90033	WARN	(Loosely Scoped Cookie - Passive/beta)