-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #339 from bcgov/zap
Zap configuration to modify rules
- Loading branch information
Showing
1 changed file
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| # zap-baseline rule configuration file | ||
| # Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches | ||
| # Only the rule identifiers are used - the names are just for info | ||
| # You can add your own messages to each rule by appending them after a tab on each line. | ||
| * OUTOFSCOPE .*\.svg | ||
| * OUTOFSCOPE .*\.png | ||
| 10010 WARN (Cookie No HttpOnly Flag) | ||
| 10011 WARN (Cookie Without Secure Flag) | ||
| 10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set) | ||
| 10016 IGNORE (Web Browser XSS Protection Not Enabled) | ||
| 10017 WARN (Cross-Domain JavaScript Source File Inclusion) | ||
| 10019 WARN (Content-Type Header Missing) | ||
| 10020 WARN (X-Frame-Options Header Scanner) | ||
| 10021 IGNORE (X-Content-Type-Options Header Missing) | ||
| 10023 WARN (Information Disclosure - Debug Error Messages) | ||
| 10024 WARN (Information Disclosure - Sensitive Information in URL) | ||
| 10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header) | ||
| 10026 WARN (HTTP Parameter Override) | ||
| 10027 WARN (Information Disclosure - Suspicious Comments) | ||
| 10028 WARN (Open Redirect) | ||
| 10029 WARN (Cookie Poisoning) | ||
| 10030 WARN (User Controllable Charset) | ||
| 10031 WARN (User Controllable HTML Element Attribute (Potential XSS)) | ||
| 10032 WARN (Viewstate Scanner) | ||
| 10033 WARN (Directory Browsing) | ||
| 10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative)) | ||
| 10035 WARN (Strict-Transport-Security Header Scanner) | ||
| 10036 WARN (HTTP Server Response Header Scanner) | ||
| 10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)) | ||
| 10038 WARN (Content Security Policy (CSP) Header Not Set) | ||
| 10039 WARN (X-Backend-Server Header Information Leak) | ||
| 10040 WARN (Secure Pages Include Mixed Content) | ||
| 10041 WARN (HTTP to HTTPS Insecure Transition in Form Post) | ||
| 10042 WARN (HTTPS to HTTP Insecure Transition in Form Post) | ||
| 10043 WARN (User Controllable JavaScript Event (XSS)) | ||
| 10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak)) | ||
| 10050 WARN (Retrieved from Cache) | ||
| 10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak) | ||
| 10054 WARN (Cookie Without SameSite Attribute) | ||
| 10055 WARN (CSP Scanner) | ||
| 10056 WARN (X-Debug-Token Information Leak) | ||
| 10057 WARN (Username Hash Found) | ||
| 10061 WARN (X-AspNet-Version Response Header Scanner) | ||
| 10062 WARN (PII Scanner) | ||
| 10096 WARN (Timestamp Disclosure) | ||
| 10097 WARN (Hash Disclosure) | ||
| 10098 WARN (Cross-Domain Misconfiguration) | ||
| 10105 WARN (Weak Authentication Method) | ||
| 10108 WARN (Reverse Tabnabbing) | ||
| 10202 WARN (Absence of Anti-CSRF Tokens) | ||
| 2 WARN (Private IP Disclosure) | ||
| 3 WARN (Session ID in URL Rewrite) | ||
| 50001 WARN (Script Passive Scan Rules) | ||
| 90001 WARN (Insecure JSF ViewState) | ||
| 90011 WARN (Charset Mismatch) | ||
| 90022 WARN (Application Error Disclosure) | ||
| 90033 WARN (Loosely Scoped Cookie) | ||
|
|