diff --git a/docker-compose.owaspzap.yml b/docker-compose.owaspzap.yml index 220d7802c6b..cffdac55dba 100644 --- a/docker-compose.owaspzap.yml +++ b/docker-compose.owaspzap.yml @@ -7,6 +7,7 @@ services: command: bash -c "zap.sh -cmd -addonupdate -addoninstall help_ja_JP -addoninstall wappalyzer -addoninstall sequence -addonuninstall hud -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && zap-webswing.sh" # 詳細スキャンしたい場合はこちらを使用する command: bash -c "zap.sh -cmd -addonupdate -addoninstall help_ja_JP -addoninstall wappalyzer -addoninstall ascanrulesAlpha -addoninstall ascanrulesBeta -addoninstall sqliplugin -addoninstall sequence -addonuninstall hud -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && zap-webswing.sh" volumes: + - ./zap/policies:/home/zap/.ZAP/policies/ - ./zap:/zap/wrk/ ports: - "8081:8080" diff --git a/zap/options.properties b/zap/options.properties index 2001e1b0c4c..388803dd54f 100644 --- a/zap/options.properties +++ b/zap/options.properties @@ -111,6 +111,10 @@ anticsrf.tokens.token\(53\).name=admin_change_password[_token] anticsrf.tokens.token\(53\).enabled=true anticsrf.tokens.token\(54\).name=calendar[_token] anticsrf.tokens.token\(54\).enabled=true +anticsrf.tokens.token\(55\).name=nonmember[_token] +anticsrf.tokens.token\(55\).enabled=true +anticsrf.tokens.token\(56\).name=admin_customer[_token] +anticsrf.tokens.token\(56\).enabled=true scanner.antiCSFR=true httpsessions.tokens.token\(0\).name=eccube httpsessions.tokens.token\(0\).enabled=true @@ -118,7 +122,7 @@ httpsessions.tokens.token\(1\).name=ecsessid httpsessions.tokens.token\(1\).enabled=true httpsessions.tokens.token\(2\).name=phpsessid httpsessions.tokens.token\(2\).enabled=true -## Filtering out false positives in PATH Traversal +## Filtering out false positives in PATH Traversal to add_cart globalalertfilter.filters.filter\(0\).ruleid=6 globalalertfilter.filters.filter\(0\).newrisk=-1 globalalertfilter.filters.filter\(0\).url=https://ec-cube/products/add_cart/[0-9]+ @@ -142,3 +146,291 @@ globalalertfilter.filters.filter\(1\).attackregex=false globalalertfilter.filters.filter\(1\).evidence= globalalertfilter.filters.filter\(1\).evidenceregex=false globalalertfilter.filters.filter\(1\).enabled=true +## Filtering out false positives in anti CSRF token to searchForm +globalalertfilter.filters.filter\(2\).ruleid=10202 +globalalertfilter.filters.filter\(2\).newrisk=-1 +globalalertfilter.filters.filter\(2\).url=https://ec-cube/.* +globalalertfilter.filters.filter\(2\).urlregex=true +globalalertfilter.filters.filter\(2\).param= +globalalertfilter.filters.filter\(2\).paramregex=false +globalalertfilter.filters.filter\(2\).attack=
+globalalertfilter.filters.filter\(2\).attackregex=false +globalalertfilter.filters.filter\(2\).evidence= +globalalertfilter.filters.filter\(2\).evidenceregex=false +globalalertfilter.filters.filter\(2\).enabled=true +## Filtering out false positives in PATH Traversal to method +globalalertfilter.filters.filter\(3\).ruleid=6 +globalalertfilter.filters.filter\(3\).newrisk=-1 +globalalertfilter.filters.filter\(3\).url=https://ec-cube/.*/delete +globalalertfilter.filters.filter\(3\).urlregex=true +globalalertfilter.filters.filter\(3\).param=_method +globalalertfilter.filters.filter\(3\).paramregex=false +globalalertfilter.filters.filter\(3\).attack=delete +globalalertfilter.filters.filter\(3\).attackregex=false +globalalertfilter.filters.filter\(3\).evidence= +globalalertfilter.filters.filter\(3\).evidenceregex=false +globalalertfilter.filters.filter\(3\).enabled=true +## Filtering out false positives in anti CSRF token to ec-cube.net +globalalertfilter.filters.filter\(4\).ruleid=10202 +globalalertfilter.filters.filter\(4\).newrisk=-1 +globalalertfilter.filters.filter\(4\).url=https://ec-cube/.* +globalalertfilter.filters.filter\(4\).urlregex=true +globalalertfilter.filters.filter\(4\).param= +globalalertfilter.filters.filter\(4\).paramregex=false +globalalertfilter.filters.filter\(4\).attack= +globalalertfilter.filters.filter\(4\).attackregex=true +globalalertfilter.filters.filter\(4\).evidence= +globalalertfilter.filters.filter\(4\).evidenceregex=false +globalalertfilter.filters.filter\(4\).enabled=true +## Filtering out false positives in anti CSRF token to form_bulk +globalalertfilter.filters.filter\(5\).ruleid=10202 +globalalertfilter.filters.filter\(5\).newrisk=-1 +globalalertfilter.filters.filter\(5\).url=https://ec-cube/admin/product +globalalertfilter.filters.filter\(5\).urlregex=false +globalalertfilter.filters.filter\(5\).param= +globalalertfilter.filters.filter\(5\).paramregex=false +globalalertfilter.filters.filter\(5\).attack= +globalalertfilter.filters.filter\(5\).attackregex=false +globalalertfilter.filters.filter\(5\).evidence= +globalalertfilter.filters.filter\(5\).evidenceregex=false +globalalertfilter.filters.filter\(5\).enabled=true +## Filtering out false positives in anti CSRF token to category +globalalertfilter.filters.filter\(6\).ruleid=10202 +globalalertfilter.filters.filter\(6\).newrisk=-1 +globalalertfilter.filters.filter\(6\).url=https://ec-cube/admin/category +globalalertfilter.filters.filter\(6\).urlregex=false +globalalertfilter.filters.filter\(6\).param= +globalalertfilter.filters.filter\(6\).paramregex=false +globalalertfilter.filters.filter\(6\).attack= +globalalertfilter.filters.filter\(6\).attackregex=false +globalalertfilter.filters.filter\(6\).evidence= +globalalertfilter.filters.filter\(6\).evidenceregex=false +globalalertfilter.filters.filter\(6\).enabled=true +## Filtering out false positives in anti CSRF token to class_category +globalalertfilter.filters.filter\(7\).ruleid=10202 +globalalertfilter.filters.filter\(7\).newrisk=-1 +globalalertfilter.filters.filter\(7\).url=https://ec-cube/admin/product/class_category/.* +globalalertfilter.filters.filter\(7\).urlregex=true +globalalertfilter.filters.filter\(7\).param= +globalalertfilter.filters.filter\(7\).paramregex=false +globalalertfilter.filters.filter\(7\).attack= +globalalertfilter.filters.filter\(7\).attackregex=false +globalalertfilter.filters.filter\(7\).evidence= +globalalertfilter.filters.filter\(7\).evidenceregex=true +globalalertfilter.filters.filter\(7\).enabled=true +## Filtering out false positives in anti CSRF token to class_name +globalalertfilter.filters.filter\(8\).ruleid=10202 +globalalertfilter.filters.filter\(8\).newrisk=-1 +globalalertfilter.filters.filter\(8\).url=https://ec-cube/admin/product/class_name +globalalertfilter.filters.filter\(8\).urlregex=false +globalalertfilter.filters.filter\(8\).param= +globalalertfilter.filters.filter\(8\).paramregex=false +globalalertfilter.filters.filter\(8\).attack= +globalalertfilter.filters.filter\(8\).attackregex=false +globalalertfilter.filters.filter\(8\).evidence= +globalalertfilter.filters.filter\(8\).evidenceregex=false +globalalertfilter.filters.filter\(8\).enabled=true +## Filtering out false positives in anti CSRF token to tag +globalalertfilter.filters.filter\(9\).ruleid=10202 +globalalertfilter.filters.filter\(9\).newrisk=-1 +globalalertfilter.filters.filter\(9\).url=https://ec-cube/admin/product/tag +globalalertfilter.filters.filter\(9\).urlregex=false +globalalertfilter.filters.filter\(9\).param= +globalalertfilter.filters.filter\(9\).paramregex=false +globalalertfilter.filters.filter\(9\).attack= +globalalertfilter.filters.filter\(9\).attackregex=false +globalalertfilter.filters.filter\(9\).evidence= +globalalertfilter.filters.filter\(9\).evidenceregex=false +globalalertfilter.filters.filter\(9\).enabled=true +## Filtering out false positives in PATH Traversal to edit +globalalertfilter.filters.filter\(10\).ruleid=6 +globalalertfilter.filters.filter\(10\).newrisk=-1 +globalalertfilter.filters.filter\(10\).url=https://ec-cube/admin/.*/edit +globalalertfilter.filters.filter\(10\).urlregex=true +globalalertfilter.filters.filter\(10\).param= +globalalertfilter.filters.filter\(10\).paramregex=false +globalalertfilter.filters.filter\(10\).attack=edit +globalalertfilter.filters.filter\(10\).attackregex=false +globalalertfilter.filters.filter\(10\).evidence= +globalalertfilter.filters.filter\(10\).evidenceregex=false +globalalertfilter.filters.filter\(10\).enabled=true +## Filtering out false positives in PATH Traversal to new +globalalertfilter.filters.filter\(11\).ruleid=6 +globalalertfilter.filters.filter\(11\).newrisk=-1 +globalalertfilter.filters.filter\(11\).url=https://ec-cube/admin/.*/new +globalalertfilter.filters.filter\(11\).urlregex=true +globalalertfilter.filters.filter\(11\).param= +globalalertfilter.filters.filter\(11\).paramregex=false +globalalertfilter.filters.filter\(11\).attack=new +globalalertfilter.filters.filter\(11\).attackregex=false +globalalertfilter.filters.filter\(11\).evidence= +globalalertfilter.filters.filter\(11\).evidenceregex=false +globalalertfilter.filters.filter\(11\).enabled=true +## Filtering out false positives in anti CSRF token to order_item_type +globalalertfilter.filters.filter\(12\).ruleid=10202 +globalalertfilter.filters.filter\(12\).newrisk=-1 +globalalertfilter.filters.filter\(12\).url=https://ec-cube/admin/order/search/order_item_type +globalalertfilter.filters.filter\(12\).urlregex=false +globalalertfilter.filters.filter\(12\).param= +globalalertfilter.filters.filter\(12\).paramregex=false +globalalertfilter.filters.filter\(12\).attack= +globalalertfilter.filters.filter\(12\).attackregex=false +globalalertfilter.filters.filter\(12\).evidence= +globalalertfilter.filters.filter\(12\).evidenceregex=true +globalalertfilter.filters.filter\(12\).enabled=true +## Filtering out false positives in anti CSRF token to search product +globalalertfilter.filters.filter\(13\).ruleid=10202 +globalalertfilter.filters.filter\(13\).newrisk=-1 +globalalertfilter.filters.filter\(13\).url=https://ec-cube/admin/.*/search/product +globalalertfilter.filters.filter\(13\).urlregex=true +globalalertfilter.filters.filter\(13\).param= +globalalertfilter.filters.filter\(13\).paramregex=false +globalalertfilter.filters.filter\(13\).attack= +globalalertfilter.filters.filter\(13\).attackregex=false +globalalertfilter.filters.filter\(13\).evidence= +globalalertfilter.filters.filter\(13\).evidenceregex=true +globalalertfilter.filters.filter\(13\).enabled=true +## Filtering out false positives in XSS(Persistent) to file_manager +globalalertfilter.filters.filter\(14\).ruleid=40014 +globalalertfilter.filters.filter\(14\).newrisk=-1 +globalalertfilter.filters.filter\(14\).url=https://ec-cube/admin/content/file_manager +globalalertfilter.filters.filter\(14\).urlregex=false +globalalertfilter.filters.filter\(14\).param=form[file][] +globalalertfilter.filters.filter\(14\).paramregex=false +globalalertfilter.filters.filter\(14\).attack=;alert(1) +globalalertfilter.filters.filter\(14\).attackregex=false +globalalertfilter.filters.filter\(14\).evidence= +globalalertfilter.filters.filter\(14\).evidenceregex=false +globalalertfilter.filters.filter\(14\).enabled=true +## Filtering out false positives in XSS(Reflected) to file_manager +globalalertfilter.filters.filter\(15\).ruleid=40012 +globalalertfilter.filters.filter\(15\).newrisk=-1 +globalalertfilter.filters.filter\(15\).url=https://ec-cube/admin/content/file_manager +globalalertfilter.filters.filter\(15\).urlregex=false +globalalertfilter.filters.filter\(15\).param= +globalalertfilter.filters.filter\(15\).paramregex=false +globalalertfilter.filters.filter\(15\).attack=;alert(1) +globalalertfilter.filters.filter\(15\).attackregex=false +globalalertfilter.filters.filter\(15\).evidence=;alert(1) +globalalertfilter.filters.filter\(15\).evidenceregex=false +globalalertfilter.filters.filter\(15\).enabled=true +## Filtering out false positives in XSS(Reflected) to recommend +globalalertfilter.filters.filter\(16\).ruleid=40012 +globalalertfilter.filters.filter\(16\).newrisk=-1 +globalalertfilter.filters.filter\(16\).url=https://ec-cube/admin/plugin/recommend/.* +globalalertfilter.filters.filter\(16\).urlregex=true +globalalertfilter.filters.filter\(16\).param=recommend_product[comment] +globalalertfilter.filters.filter\(16\).paramregex=false +globalalertfilter.filters.filter\(16\).attack= +globalalertfilter.filters.filter\(16\).attackregex=false +globalalertfilter.filters.filter\(16\).evidence= +globalalertfilter.filters.filter\(16\).evidenceregex=false +globalalertfilter.filters.filter\(16\).enabled=true +## Filtering out false positives in SQL Injection to file_manager +globalalertfilter.filters.filter\(17\).ruleid=40018 +globalalertfilter.filters.filter\(17\).newrisk=-1 +globalalertfilter.filters.filter\(17\).url=https://ec-cube/admin/content/file_manager +globalalertfilter.filters.filter\(17\).urlregex=false +globalalertfilter.filters.filter\(17\).param= +globalalertfilter.filters.filter\(17\).paramregex=false +globalalertfilter.filters.filter\(17\).attack= +globalalertfilter.filters.filter\(17\).attackregex=false +globalalertfilter.filters.filter\(17\).evidence= +globalalertfilter.filters.filter\(17\).evidenceregex=false +globalalertfilter.filters.filter\(17\).enabled=true +## Filtering out false positives in XSS(Reflected) to mail_magazine +globalalertfilter.filters.filter\(18\).ruleid=40012 +globalalertfilter.filters.filter\(18\).newrisk=-1 +globalalertfilter.filters.filter\(18\).url=https://ec-cube/admin/plugin/mail_magazine/select/.* +globalalertfilter.filters.filter\(18\).urlregex=true +globalalertfilter.filters.filter\(18\).param=mail_magazine[htmlBody] +globalalertfilter.filters.filter\(18\).paramregex=false +globalalertfilter.filters.filter\(18\).attack= +globalalertfilter.filters.filter\(18\).attackregex=false +globalalertfilter.filters.filter\(18\).evidence= +globalalertfilter.filters.filter\(18\).evidenceregex=false +globalalertfilter.filters.filter\(18\).enabled=true +## Filtering out false positives in XSS(Reflected) to mail preview +globalalertfilter.filters.filter\(19\).ruleid=40012 +globalalertfilter.filters.filter\(19\).newrisk=-1 +globalalertfilter.filters.filter\(19\).url=https://ec-cube/admin/setting/shop/mail/preview +globalalertfilter.filters.filter\(19\).urlregex=false +globalalertfilter.filters.filter\(19\).param=html_body +globalalertfilter.filters.filter\(19\).paramregex=false +globalalertfilter.filters.filter\(19\).attack= +globalalertfilter.filters.filter\(19\).attackregex=false +globalalertfilter.filters.filter\(19\).evidence= +globalalertfilter.filters.filter\(19\).evidenceregex=false +globalalertfilter.filters.filter\(19\).enabled=true +## Filtering out false positives in PATH Traversal to csv +globalalertfilter.filters.filter\(20\).ruleid=6 +globalalertfilter.filters.filter\(20\).newrisk=-1 +globalalertfilter.filters.filter\(20\).url=https://ec-cube/admin/setting/shop/csv/.* +globalalertfilter.filters.filter\(20\).urlregex=true +globalalertfilter.filters.filter\(20\).param= +globalalertfilter.filters.filter\(20\).paramregex=false +globalalertfilter.filters.filter\(20\).attack=[0-9]+ +globalalertfilter.filters.filter\(20\).attackregex=true +globalalertfilter.filters.filter\(20\).evidence= +globalalertfilter.filters.filter\(20\).evidenceregex=false +globalalertfilter.filters.filter\(20\).enabled=true +## Filtering out false positives in PATH Traversal to security +globalalertfilter.filters.filter\(21\).ruleid=6 +globalalertfilter.filters.filter\(21\).newrisk=-1 +globalalertfilter.filters.filter\(21\).url=https://ec-cube/admin/setting/system/security +globalalertfilter.filters.filter\(21\).urlregex=false +globalalertfilter.filters.filter\(21\).param=admin_security[admin_route_dir] +globalalertfilter.filters.filter\(21\).paramregex=false +globalalertfilter.filters.filter\(21\).attack=security +globalalertfilter.filters.filter\(21\).attackregex=false +globalalertfilter.filters.filter\(21\).evidence= +globalalertfilter.filters.filter\(21\).evidenceregex=false +globalalertfilter.filters.filter\(21\).enabled=true +## Filtering out false positives in anti CSRF token to authentication_setting +globalalertfilter.filters.filter\(22\).ruleid=10202 +globalalertfilter.filters.filter\(22\).newrisk=-1 +globalalertfilter.filters.filter\(22\).url=https://ec-cube/admin/store/plugin/authentication_setting +globalalertfilter.filters.filter\(22\).urlregex=false +globalalertfilter.filters.filter\(22\).param= +globalalertfilter.filters.filter\(22\).paramregex=false +globalalertfilter.filters.filter\(22\).attack= +globalalertfilter.filters.filter\(22\).attackregex=false +globalalertfilter.filters.filter\(22\).evidence= +globalalertfilter.filters.filter\(22\).evidenceregex=false +globalalertfilter.filters.filter\(22\).enabled=true +## Filtering out false positives in anti CSRF token to memeber +globalalertfilter.filters.filter\(22\).ruleid=10202 +globalalertfilter.filters.filter\(22\).newrisk=-1 +globalalertfilter.filters.filter\(22\).url=https://ec-cube/admin/setting/system/member +globalalertfilter.filters.filter\(22\).urlregex=false +globalalertfilter.filters.filter\(22\).param= +globalalertfilter.filters.filter\(22\).paramregex=false +globalalertfilter.filters.filter\(22\).attack= +globalalertfilter.filters.filter\(22\).attackregex=false +globalalertfilter.filters.filter\(22\).evidence= +globalalertfilter.filters.filter\(22\).evidenceregex=false +globalalertfilter.filters.filter\(22\).enabled=true +## Filtering out false positives in PATH Traversal to customer +globalalertfilter.filters.filter\(23\).ruleid=6 +globalalertfilter.filters.filter\(23\).newrisk=-1 +globalalertfilter.filters.filter\(23\).url=https://ec-cube/shopping/customer +globalalertfilter.filters.filter\(23\).urlregex=false +globalalertfilter.filters.filter\(23\).param= +globalalertfilter.filters.filter\(23\).paramregex=false +globalalertfilter.filters.filter\(23\).attack=customer +globalalertfilter.filters.filter\(23\).attackregex=false +globalalertfilter.filters.filter\(23\).evidence= +globalalertfilter.filters.filter\(23\).evidenceregex=false +globalalertfilter.filters.filter\(23\).enabled=true +## Filtering out false positives in anti CSRF token to favorite +globalalertfilter.filters.filter\(24\).ruleid=10202 +globalalertfilter.filters.filter\(24\).newrisk=-1 +globalalertfilter.filters.filter\(24\).url=https://ec-cube/products/detail/.* +globalalertfilter.filters.filter\(24\).urlregex=true +globalalertfilter.filters.filter\(24\).param= +globalalertfilter.filters.filter\(24\).paramregex=false +globalalertfilter.filters.filter\(24\).attack= +globalalertfilter.filters.filter\(24\).attackregex=false +globalalertfilter.filters.filter\(24\).evidence= +globalalertfilter.filters.filter\(24\).evidenceregex=true +globalalertfilter.filters.filter\(24\).enabled=true \ No newline at end of file diff --git a/zap/policies/Default Policy.policy b/zap/policies/Default Policy.policy new file mode 100644 index 00000000000..5324125faea --- /dev/null +++ b/zap/policies/Default Policy.policy @@ -0,0 +1,81 @@ + + + Default Policy + + MEDIUM + MEDIUM + + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + false + OFF + + + false + OFF + + +