Last active
May 15, 2021 02:17
-
-
Save kmcquade/505dc6db8d13d05be92a03062fe4f700 to your computer and use it in GitHub Desktop.
ZAP Full scan config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # zap-full-scan rule configuration file | |
| # Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches | |
| # Active scan rules set to IGNORE will not be run which will speed up the scan | |
| # Only the rule identifiers are used - the names are just for info | |
| # You can add your own messages to each rule by appending them after a tab on each line. | |
| 0 WARN (Directory Browsing - Active/release) | |
| 10003 WARN (Vulnerable JS Library - Passive/release) | |
| 10010 WARN (Cookie No HttpOnly Flag - Passive/release) | |
| 10011 WARN (Cookie Without Secure Flag - Passive/release) | |
| 10015 WARN (Incomplete or No Cache-control Header Set - Passive/release) | |
| 10017 WARN (Cross-Domain JavaScript Source File Inclusion - Passive/release) | |
| 10019 WARN (Content-Type Header Missing - Passive/release) | |
| 10020 WARN (X-Frame-Options Header - Passive/release) | |
| 10021 WARN (X-Content-Type-Options Header Missing - Passive/release) | |
| 10023 WARN (Information Disclosure - Debug Error Messages - Passive/release) | |
| 10024 WARN (Information Disclosure - Sensitive Information in URL - Passive/release) | |
| 10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release) | |
| 10026 WARN (HTTP Parameter Override - Passive/beta) | |
| 10027 WARN (Information Disclosure - Suspicious Comments - Passive/release) | |
| 10028 WARN (Open Redirect - Passive/beta) | |
| 10029 WARN (Cookie Poisoning - Passive/beta) | |
| 10030 WARN (User Controllable Charset - Passive/beta) | |
| 10031 WARN (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta) | |
| 10032 WARN (Viewstate - Passive/release) | |
| 10033 WARN (Directory Browsing - Passive/beta) | |
| 10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta) | |
| 10035 WARN (Strict-Transport-Security Header - Passive/beta) | |
| 10036 WARN (HTTP Server Response Header - Passive/beta) | |
| 10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release) | |
| 10038 WARN (Content Security Policy (CSP) Header Not Set - Passive/beta) | |
| 10039 WARN (X-Backend-Server Header Information Leak - Passive/beta) | |
| 10040 WARN (Secure Pages Include Mixed Content - Passive/release) | |
| 10041 WARN (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta) | |
| 10042 WARN (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta) | |
| 10043 WARN (User Controllable JavaScript Event (XSS) - Passive/beta) | |
| 10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta) | |
| 10045 WARN (Source Code Disclosure - /WEB-INF folder - Active/release) | |
| 10047 WARN (HTTPS Content Available via HTTP - Active/beta) | |
| 10048 WARN (Remote Code Execution - Shell Shock - Active/beta) | |
| 10050 WARN (Retrieved from Cache - Passive/beta) | |
| 10051 WARN (Relative Path Confusion - Active/beta) | |
| 10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta) | |
| 10053 WARN (Apache Range Header DoS (CVE-2011-3192) - Active/beta) | |
| 10054 WARN (Cookie Without SameSite Attribute - Passive/release) | |
| 10055 WARN (CSP - Passive/release) | |
| 10056 WARN (X-Debug-Token Information Leak - Passive/release) | |
| 10057 WARN (Username Hash Found - Passive/release) | |
| 10058 WARN (GET for POST - Active/beta) | |
| 10061 WARN (X-AspNet-Version Response Header - Passive/release) | |
| 10062 WARN (PII Disclosure - Passive/beta) | |
| 10095 WARN (Backup File Disclosure - Active/beta) | |
| 10096 WARN (Timestamp Disclosure - Passive/release) | |
| 10097 WARN (Hash Disclosure - Passive/beta) | |
| 10098 WARN (Cross-Domain Misconfiguration - Passive/release) | |
| 10104 WARN (User Agent Fuzzer - Active/beta) | |
| 10105 WARN (Weak Authentication Method - Passive/release) | |
| 10106 WARN (HTTP Only Site - Active/beta) | |
| 10107 WARN (Httpoxy - Proxy Header Misuse - Active/beta) | |
| 10108 WARN (Reverse Tabnabbing - Passive/beta) | |
| 10109 WARN (Modern Web Application - Passive/beta) | |
| 10202 WARN (Absence of Anti-CSRF Tokens - Passive/release) | |
| 2 WARN (Private IP Disclosure - Passive/release) | |
| 20012 WARN (Anti-CSRF Tokens Check - Active/beta) | |
| 20014 WARN (HTTP Parameter Pollution - Active/beta) | |
| 20015 WARN (Heartbleed OpenSSL Vulnerability - Active/beta) | |
| 20016 WARN (Cross-Domain Misconfiguration - Active/beta) | |
| 20017 WARN (Source Code Disclosure - CVE-2012-1823 - Active/beta) | |
| 20018 WARN (Remote Code Execution - CVE-2012-1823 - Active/beta) | |
| 20019 WARN (External Redirect - Active/release) | |
| 3 WARN (Session ID in URL Rewrite - Passive/release) | |
| 30001 WARN (Buffer Overflow - Active/release) | |
| 30002 WARN (Format String Error - Active/release) | |
| 30003 WARN (Integer Overflow Error - Active/beta) | |
| 40003 WARN (CRLF Injection - Active/release) | |
| 40008 WARN (Parameter Tampering - Active/release) | |
| 40009 WARN (Server Side Include - Active/release) | |
| 40012 WARN (Cross Site Scripting (Reflected) - Active/release) | |
| 40013 WARN (Session Fixation - Active/beta) | |
| 40014 WARN (Cross Site Scripting (Persistent) - Active/release) | |
| 40016 WARN (Cross Site Scripting (Persistent) - Prime - Active/release) | |
| 40017 WARN (Cross Site Scripting (Persistent) - Spider - Active/release) | |
| 40018 WARN (SQL Injection - Active/release) | |
| 40019 WARN (SQL Injection - MySQL - Active/beta) | |
| 40020 WARN (SQL Injection - Hypersonic SQL - Active/beta) | |
| 40021 WARN (SQL Injection - Oracle - Active/beta) | |
| 40022 WARN (SQL Injection - PostgreSQL - Active/beta) | |
| 40023 WARN (Possible Username Enumeration - Active/beta) | |
| 40024 WARN (SQL Injection - SQLite - Active/beta) | |
| 40025 WARN (Proxy Disclosure - Active/beta) | |
| 40026 WARN (Cross Site Scripting (DOM Based) - Active/beta) | |
| 40027 WARN (SQL Injection - MsSQL - Active/beta) | |
| 40028 WARN (ELMAH Information Leak - Active/release) | |
| 40029 WARN (Trace.axd Information Leak - Active/beta) | |
| 40032 WARN (.htaccess Information Leak - Active/release) | |
| 40034 WARN (.env Information Leak - Active/beta) | |
| 40035 WARN (Hidden File Finder - Active/beta) | |
| 41 WARN (Source Code Disclosure - Git - Active/beta) | |
| 42 WARN (Source Code Disclosure - SVN - Active/beta) | |
| 43 WARN (Source Code Disclosure - File Inclusion - Active/beta) | |
| 50000 WARN (Script Active Scan Rules - Active/release) | |
| 50001 WARN (Script Passive Scan Rules - Passive/release) | |
| 6 WARN (Path Traversal - Active/release) | |
| 7 WARN (Remote File Inclusion - Active/release) | |
| 90001 WARN (Insecure JSF ViewState - Passive/release) | |
| 90011 WARN (Charset Mismatch - Passive/release) | |
| 90017 WARN (XSLT Injection - Active/beta) | |
| 90019 WARN (Server Side Code Injection - Active/release) | |
| 90020 WARN (Remote OS Command Injection - Active/release) | |
| 90021 WARN (XPath Injection - Active/beta) | |
| 90022 WARN (Application Error Disclosure - Passive/release) | |
| 90023 WARN (XML External Entity Attack - Active/beta) | |
| 90024 WARN (Generic Padding Oracle - Active/beta) | |
| 90025 WARN (Expression Language Injection - Active/beta) | |
| 90026 WARN (SOAP Action Spoofing - Active/alpha) | |
| 90027 WARN (Cookie Slack Detector - Active/beta) | |
| 90028 WARN (Insecure HTTP Method - Active/beta) | |
| 90029 WARN (SOAP XML Injection - Active/alpha) | |
| 90030 WARN (WSDL File Detection - Passive/alpha) | |
| 90033 WARN (Loosely Scoped Cookie - Passive/release) | |
| 90034 WARN (Cloud Metadata Potentially Exposed - Active/beta) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # zap-full-scan rule configuration file | |
| # Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches | |
| # Active scan rules set to IGNORE will not be run which will speed up the scan | |
| # Only the rule identifiers are used - the names are just for info | |
| # You can add your own messages to each rule by appending them after a tab on each line. | |
| 0 WARN (Directory Browsing - Active/release) | |
| 10003 IGNORE (Vulnerable JS Library - Passive/release) | |
| 10010 IGNORE (Cookie No HttpOnly Flag - Passive/release) | |
| 10011 IGNORE (Cookie Without Secure Flag - Passive/release) | |
| 10015 IGNORE (Incomplete or No Cache-control Header Set - Passive/release) | |
| 10017 IGNORE (Cross-Domain JavaScript Source File Inclusion - Passive/release) | |
| 10019 IGNORE (Content-Type Header Missing - Passive/release) | |
| 10020 IGNORE (X-Frame-Options Header - Passive/release) | |
| 10021 IGNORE (X-Content-Type-Options Header Missing - Passive/release) | |
| 10023 IGNORE (Information Disclosure - Debug Error Messages - Passive/release) | |
| 10024 IGNORE (Information Disclosure - Sensitive Information in URL - Passive/release) | |
| 10025 IGNORE (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release) | |
| 10026 IGNORE (HTTP Parameter Override - Passive/beta) | |
| 10027 IGNORE (Information Disclosure - Suspicious Comments - Passive/release) | |
| 10028 IGNORE (Open Redirect - Passive/beta) | |
| 10029 IGNORE (Cookie Poisoning - Passive/beta) | |
| 10030 IGNORE (User Controllable Charset - Passive/beta) | |
| 10031 IGNORE (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta) | |
| 10032 IGNORE (Viewstate - Passive/release) | |
| 10033 IGNORE (Directory Browsing - Passive/beta) | |
| 10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta) | |
| 10035 IGNORE (Strict-Transport-Security Header - Passive/beta) | |
| 10036 IGNORE (HTTP Server Response Header - Passive/beta) | |
| 10037 IGNORE (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release) | |
| 10038 IGNORE (Content Security Policy (CSP) Header Not Set - Passive/beta) | |
| 10039 IGNORE (X-Backend-Server Header Information Leak - Passive/beta) | |
| 10040 IGNORE (Secure Pages Include Mixed Content - Passive/release) | |
| 10041 IGNORE (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta) | |
| 10042 IGNORE (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta) | |
| 10043 IGNORE (User Controllable JavaScript Event (XSS) - Passive/beta) | |
| 10044 IGNORE (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta) | |
| 10045 IGNORE (Source Code Disclosure - /WEB-INF folder - Active/release) | |
| 10047 IGNORE (HTTPS Content Available via HTTP - Active/beta) | |
| 10048 IGNORE (Remote Code Execution - Shell Shock - Active/beta) | |
| 10050 IGNORE (Retrieved from Cache - Passive/beta) | |
| 10051 IGNORE (Relative Path Confusion - Active/beta) | |
| 10052 IGNORE (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta) | |
| 10053 IGNORE (Apache Range Header DoS (CVE-2011-3192) - Active/beta) | |
| 10054 IGNORE (Cookie Without SameSite Attribute - Passive/release) | |
| 10055 IGNORE (CSP - Passive/release) | |
| 10056 IGNORE (X-Debug-Token Information Leak - Passive/release) | |
| 10057 IGNORE (Username Hash Found - Passive/release) | |
| 10058 IGNORE (GET for POST - Active/beta) | |
| 10061 IGNORE (X-AspNet-Version Response Header - Passive/release) | |
| 10062 IGNORE (PII Disclosure - Passive/beta) | |
| 10095 IGNORE (Backup File Disclosure - Active/beta) | |
| 10096 IGNORE (Timestamp Disclosure - Passive/release) | |
| 10097 IGNORE (Hash Disclosure - Passive/beta) | |
| 10098 IGNORE (Cross-Domain Misconfiguration - Passive/release) | |
| 10104 IGNORE (User Agent Fuzzer - Active/beta) | |
| 10105 IGNORE (Weak Authentication Method - Passive/release) | |
| 10106 IGNORE (HTTP Only Site - Active/beta) | |
| 10107 IGNORE (Httpoxy - Proxy Header Misuse - Active/beta) | |
| 10108 IGNORE (Reverse Tabnabbing - Passive/beta) | |
| 10109 IGNORE (Modern Web Application - Passive/beta) | |
| 10202 IGNORE (Absence of Anti-CSRF Tokens - Passive/release) | |
| 2 IGNORE (Private IP Disclosure - Passive/release) | |
| 20012 IGNORE (Anti-CSRF Tokens Check - Active/beta) | |
| 20014 IGNORE (HTTP Parameter Pollution - Active/beta) | |
| 20015 FAIL (Heartbleed OpenSSL Vulnerability - Active/beta) | |
| 20016 IGNORE (Cross-Domain Misconfiguration - Active/beta) | |
| 20017 IGNORE (Source Code Disclosure - CVE-2012-1823 - Active/beta) | |
| 20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta) | |
| 20019 IGNORE (External Redirect - Active/release) | |
| 3 IGNORE (Session ID in URL Rewrite - Passive/release) | |
| 30001 FAIL (Buffer Overflow - Active/release) | |
| 30002 FAIL (Format String Error - Active/release) | |
| 30003 FAIL (Integer Overflow Error - Active/beta) | |
| 40003 IGNORE (CRLF Injection - Active/release) | |
| 40008 FAIL (Parameter Tampering - Active/release) | |
| 40009 IGNORE (Server Side Include - Active/release) | |
| 40012 FAIL (Cross Site Scripting (Reflected) - Active/release) | |
| 40013 IGNORE (Session Fixation - Active/beta) | |
| 40014 FAIL (Cross Site Scripting (Persistent) - Active/release) | |
| 40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release) | |
| 40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release) | |
| 40018 FAIL (SQL Injection - Active/release) | |
| 40019 FAIL (SQL Injection - MySQL - Active/beta) | |
| 40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta) | |
| 40021 FAIL (SQL Injection - Oracle - Active/beta) | |
| 40022 FAIL (SQL Injection - PostgreSQL - Active/beta) | |
| 40023 IGNORE (Possible Username Enumeration - Active/beta) | |
| 40024 FAIL (SQL Injection - SQLite - Active/beta) | |
| 40025 FAIL (Proxy Disclosure - Active/beta) | |
| 40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta) | |
| 40027 FAIL (SQL Injection - MsSQL - Active/beta) | |
| 40028 IGNORE (ELMAH Information Leak - Active/release) | |
| 40029 IGNORE (Trace.axd Information Leak - Active/beta) | |
| 40032 IGNORE (.htaccess Information Leak - Active/release) | |
| 40034 IGNORE (.env Information Leak - Active/beta) | |
| 40035 IGNORE (Hidden File Finder - Active/beta) | |
| 41 IGNORE (Source Code Disclosure - Git - Active/beta) | |
| 42 IGNORE (Source Code Disclosure - SVN - Active/beta) | |
| 43 IGNORE (Source Code Disclosure - File Inclusion - Active/beta) | |
| 50000 WARN (Script Active Scan Rules - Active/release) | |
| 50001 WARN (Script Passive Scan Rules - Passive/release) | |
| 6 IGNORE (Path Traversal - Active/release) | |
| 7 IGNORE (Remote File Inclusion - Active/release) | |
| 90001 IGNORE (Insecure JSF ViewState - Passive/release) | |
| 90011 IGNORE (Charset Mismatch - Passive/release) | |
| 90017 FAIL (XSLT Injection - Active/beta) | |
| 90019 FAIL (Server Side Code Injection - Active/release) | |
| 90020 FAIL (Remote OS Command Injection - Active/release) | |
| 90021 FAIL (XPath Injection - Active/beta) | |
| 90022 IGNORE (Application Error Disclosure - Passive/release) | |
| 90023 FAIL (XML External Entity Attack - Active/beta) | |
| 90024 FAIL (Generic Padding Oracle - Active/beta) | |
| 90025 FAIL (Expression Language Injection - Active/beta) | |
| 90026 FAIL (SOAP Action Spoofing - Active/alpha) | |
| 90027 FAIL (Cookie Slack Detector - Active/beta) | |
| 90028 WARN (Insecure HTTP Method - Active/beta) | |
| 90029 FAIL (SOAP XML Injection - Active/alpha) | |
| 90030 FAIL (WSDL File Detection - Passive/alpha) | |
| 90033 IGNORE (Loosely Scoped Cookie - Passive/release) | |
| 90034 FAIL (Cloud Metadata Potentially Exposed - Active/beta) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment