scanners/zap-advanced/integration-tests/scantype-configMap.yaml
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: v1
kind: ConfigMap
metadata:
name: zap-advanced-scantype-config
data:
1-zap-advanced-scantype.yaml: |-
# Global ZAP Configurations
global:
# Sets the ZAP Session name
sessionName: scb-integration-test
# -- Updates all installed ZAP AddOns on startup if true, otherwise false.
addonUpdate: true
# -- Installs additional ZAP AddOns on startup, listed by their name:
addonInstall:
- pscanrulesBeta
- ascanrulesBeta
- pscanrulesAlpha
- ascanrulesAlpha
# ZAP Contexts Configuration
contexts:
- name: scb-bodgeit-context
# The top level url, mandatory, everything under this will be included. IMPORTANT: must be the hostname without any subpath!
url: http://bodgeit.demo-targets.svc:8080/
# An optional list of regexes to include
includePaths:
- "http://bodgeit.demo-targets.svc:8080/bodgeit.*"
# An optional list of regexes to exclude
excludePaths:
- ".*\\.js"
- ".*\\.css"
- ".*\\.png"
- ".*\\.jpeg"
# Auth Credentials for the scanner to access the application
# Can be either basicAuth or a oidc token.
# If both are set, the oidc token takes precedent
# More infos about "ZAP Authentication for BodgeIT": https://play.sonatype.com/watch/B1vhaLSUsme7eA5hU8WeGB?
authentication:
# Currently supports "basic-auth", "form-based", "json-based", "script-based"
type: "form-based"
# basic-auth requires no further configuration
form-based:
loginUrl: "http://bodgeit.demo-targets.svc:8080/bodgeit/login.jsp"
# must be escaped already to prevent yaml parser colidations 'username={%username%}&password={%password%}''
loginRequestData: "username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D"
# Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)
verification:
isLoggedInIndicator: '\Q<a href="password.jsp">\E'
isLoggedOutIndicator: '\QGuest user\E'
users:
- name: bodgeit-user-1
username: test@thebodgeitstore.com
password: password
forced: true
session:
# Currently supports "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"
type: "cookieBasedSessionManagement"
- name: scb-juiceshop-context
# The top level url, mandatory, everything under this will be included
url: http://juiceshop.demo-targets.svc:3000/
# An optional list of regexes to include
includePaths:
- "http://juiceshop.demo-targets.svc:3000.*"
# An optional list of regexes to exclude
excludePaths:
- ".*socket\\.io.*"
- ".*\\.png"
- ".*\\.jpeg"
- ".*\\.jpg"
- ".*\\.woff"
- ".*\\.woff2"
- ".*\\.ttf"
- ".*\\.ico"
# Auth Credentials for the scanner to access the application
# Can be either basicAuth or a oidc token.
# If both are set, the oidc token takes precedent
authentication:
# Currently supports "basic-auth", "form-based", "json-based", "script-based"
type: "json-based"
# json-based requires no further configuration
# zapConfiguration.contexts[0].authentication.json-based -- Configure `type: json-based` authentication (more: https://www.zaproxy.org/docs/api/#json-based-authentication).
json-based:
loginUrl: "http://juiceshop.demo-targets.svc:3000/rest/user/login"
# must be escaped already to prevent yaml parser colidations '{"user":{"id":1,"email":"test@test.com"}}''
loginRequestData: '{"email":"admin@juice-sh.op","password":"admin123"}'
# Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)
verification:
# isLoggedInIndicator: "\Q<a href="password.jsp">\E"
isLoggedOutIndicator: '\Q{"user":{}}\E'
users:
- name: juiceshop-user-1
username: admin@juice-sh.op
password: admin123
forced: true
# session:
# # Currently supports "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"
# type: "scriptBasedSessionManagement"
# # scriptBasedSessionManagement configuration details
# scriptBasedSessionManagement:
# name: "juiceshop-session-management.js"
# # Script engine values: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts
# engine: "Oracle Nashorn"
# type: "session"
# # Must be a full path to the script file inside the ZAP container (corresponding to the configMap FileMount)
# filePath: "/home/zap/.ZAP_D/scripts/scripts/session/juiceshop-session-management.js"
# description: "This is a JuiceShop specific SessionManagement Script used to handle JWT."
- name: scb-petstore-context
# The top level url, mandatory, everything under this will be included. IMPORTANT: must be the hostname without any subpath!
url: http://petstore.demo-targets.svc/
# An optional list of regexes to include
includePaths:
- "http://petstore.demo-targets.svc/v2.*"
# An optional list of regexes to exclude
excludePaths:
- ".*\\.css"
- ".*\\.png"
- ".*\\.jpeg"
apis:
- name: scb-petstore-api
# -- The Name of the context (zapConfiguration.contexts[x].name) to spider, default: first context available.
context: scb-petstore-context
# -- format of the API ('openapi', 'grapql', 'soap')
format: openapi
# -- Url to start spidering from, default: first context URL
url: http://petstore.demo-targets.svc/v2/swagger.json
# -- Override host setting in swagger.json
hostOverride: http://petstore.demo-targets.svc
# Configures existings ZAP Scripts or add new ZAP Scripts.
scripts:
- name: "Alert_on_HTTP_Response_Code_Errors.js"
enabled: true
filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_HTTP_Response_Code_Errors.js"
engine: "Oracle Nashorn"
type: "httpsender"
description: "A HTTP Sender Script which will raise alerts based on HTTP Response codes."
- name: "Alert_on_Unexpected_Content_Types.js"
enabled: true
filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_Unexpected_Content_Types.js"
engine: "Oracle Nashorn"
type: "httpsender"
description: "A HTTP Sender Script which will raise alerts based on unexpected Content-Types."
# ZAP Spiders Configuration
spiders:
- name: scb-bodgeit-spider
# String: Name of the context to spider, default: first context
context: scb-bodgeit-context
# String: Name of the user to authenticate with and used to spider
user: bodgeit-user-1
# String: Url to start spidering from, default: first context URL
url: http://bodgeit.demo-targets.svc:8080/bodgeit/
# Int: Fail if spider finds less than the specified number of URLs, default: 0
failIfFoundUrlsLessThan: 0
# Int: Warn if spider finds less than the specified number of URLs, default: 0
warnIfFoundUrlsLessThan: 0
# Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDuration: 1
# Int: The maximum tree depth to explore, default 5
maxDepth: 5
# Int: The maximum number of children to add to each node in the tree
maxChildren: 10
# # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
# maxParseSizeBytes: 2621440
# Bool: Whether the spider will accept cookies, default: true
acceptCookies: true
# Bool: Whether the spider will handle OData responses, default: false
handleODataParametersVisited: false
# Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all
handleParameters: use_all
# Bool: Whether the spider will parse HTML comments in order to find URLs, default: true
parseComments: true
# Bool: Whether the spider will parse Git metadata in order to find URLs, default: false
parseGit: false
# Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true
parseRobotsTxt: true
# Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true
parseSitemapXml: false
# Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false
parseSVNEntries: false
# Bool: Whether the spider will submit POST forms, default: true
postForm: true
# Bool: Whether the spider will process forms, default: true
processForm: true
# Int: The time between the requests sent to a server in milliseconds, default: 200
requestWaitTime: 200
# Bool: Whether the spider will send the referer header, default: true
sendRefererHeader: true
# Int: The number of spider threads, default: 2
threadCount: 2
# String: The user agent to use in requests, default: '' - use the default ZAP one
userAgent: "secureCodeBox / ZAP Spider"
- name: scb-juiceshop-spider
# String: Name of the context to spider, default: first context
context: scb-juiceshop-context
# String: Name of the user to authenticate with and used to spider
user: juiceshop-user-1
# String: Url to start spidering from, default: first context URL
url: http://juiceshop.demo-targets.svc:3000/
# zapConfiguration.spiders[0].ajax -- Bool: Whether to use the ZAP ajax spider, default: false
ajax: true
# Int: Fail if spider finds less than the specified number of URLs, default: 0
failIfFoundUrlsLessThan: 0
# Int: Warn if spider finds less than the specified number of URLs, default: 0
warnIfFoundUrlsLessThan: 0
# Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDuration: 2
# Int: The maximum tree depth to explore, default 5
maxDepth: 5
- name: scb-petstore-spider
# String: Name of the context to spider, default: first context
context: scb-petstore-context
# String: Url to start spidering from, default: first context URL
url: http://petstore.demo-targets.svc/v2/
# Int: Fail if spider finds less than the specified number of URLs, default: 0
failIfFoundUrlsLessThan: 0
# Int: Warn if spider finds less than the specified number of URLs, default: 0
warnIfFoundUrlsLessThan: 0
# Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDuration: 1
# Int: The maximum tree depth to explore, default 5
maxDepth: 5
# Int: The maximum number of children to add to each node in the tree
maxChildren: 10
# # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
# maxParseSizeBytes: 2621440
# Bool: Whether the spider will accept cookies, default: true
acceptCookies: true
# Bool: Whether the spider will handle OData responses, default: false
handleODataParametersVisited: false
# Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all
handleParameters: use_all
# Bool: Whether the spider will parse HTML comments in order to find URLs, default: true
parseComments: true
# Bool: Whether the spider will parse Git metadata in order to find URLs, default: false
parseGit: false
# Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true
parseRobotsTxt: false
# Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true
parseSitemapXml: false
# Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false
parseSVNEntries: false
# Bool: Whether the spider will submit POST forms, default: true
postForm: true
# Bool: Whether the spider will process forms, default: true
processForm: true
# Int: The time between the requests sent to a server in milliseconds, default: 200
requestWaitTime: 200
# Bool: Whether the spider will send the referer header, default: true
sendRefererHeader: true
# Int: The number of spider threads, default: 2
threadCount: 5
# String: The user agent to use in requests, default: '' - use the default ZAP one
userAgent: "secureCodeBox / ZAP Spider"
# ZAP ActiveScans Configuration
scanners:
- name: scb-bodgeit-scan
# String: Name of the context to attack, default: first context
context: scb-bodgeit-context
# String: Name of the user to authenticate with and used to spider
user: bodgeit-user-1
# String: Url to start scaning from, default: first context URL
url: http://bodgeit.demo-targets.svc:8080/bodgeit/
# Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxRuleDurationInMins: 1
# Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 5
# Int: The max number of threads per host, default: 2
threadPerHost: 5
# Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
delayInMs: 0
# Bool: If set will add an extra query parameter to requests that do not have one, default: false
addQueryParam: false
# Bool: If set then automatically handle anti CSRF tokens, default: false
handleAntiCSRFTokens: false
# Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
injectPluginIdInHeader: false
# Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
scanHeadersAllRequests: false
- name: scb-juiceshop-scanner
# String: Name of the context to attack, default: first context
context: scb-juiceshop-context
# String: Name of the user to authenticate with and used to spider
user: juiceshop-user-1
# String: Url to start scaning from, default: first context URL
url: http://juiceshop.demo-targets.svc:3000/
# Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxRuleDurationInMins: 1
# Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 5
# Int: The max number of threads per host, default: 2
threadPerHost: 5
# Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
delayInMs: 0
# Bool: If set will add an extra query parameter to requests that do not have one, default: false
addQueryParam: false
# Bool: If set then automatically handle anti CSRF tokens, default: false
handleAntiCSRFTokens: false
# Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
injectPluginIdInHeader: false
# Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
scanHeadersAllRequests: false
- name: scb-petstore-scan
# String: Name of the context to attack, default: first context
context: scb-petstore-context
# String: Url to start scaning from, default: first context URL
url: http://petstore.demo-targets.svc/v2/
# String: Name of the scan policy to be used, default: Default Policy
policy: "API-Minimal"
# Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxRuleDurationInMins: 1
# Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 5
# Int: The max number of threads per host, default: 2
threadPerHost: 5
# Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
delayInMs: 0
# Bool: If set will add an extra query parameter to requests that do not have one, default: false
addQueryParam: false
# Bool: If set then automatically handle anti CSRF tokens, default: false
handleAntiCSRFTokens: false
# Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
injectPluginIdInHeader: false
# Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
scanHeadersAllRequests: false