-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathowasp-zap.conf
38 lines (35 loc) · 1.63 KB
/
owasp-zap.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# zap-baseline rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
10010 WARN (Cookie No HttpOnly Flag)
10011 WARN (Cookie Without Secure Flag)
10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set)
10016 WARN (Web Browser XSS Protection Not Enabled)
10017 WARN (Cross-Domain JavaScript Source File Inclusion)
10019 WARN (Content-Type Header Missing)
10020 WARN (X-Frame-Options Header Scanner)
10021 WARN (X-Content-Type-Options Header Missing)
10023 WARN (Information Disclosure - Debug Error Messages)
10024 WARN (Information Disclosure - Sensitive Information in URL)
10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header)
10026 WARN (HTTP Parameter Override)
10027 WARN (Information Disclosure - Suspicious Comments)
10032 WARN (Viewstate Scanner)
10040 WARN (Secure Pages Include Mixed Content)
10055 WARN (CSP Scanner)
10105 WARN (Weak Authentication Method)
10202 WARN (Absence of Anti-CSRF Tokens)
2 WARN (Private IP Disclosure)
3 WARN (Session ID in URL Rewrite)
50001 WARN (Script Passive Scan Rules)
90001 WARN (Insecure JSF ViewState)
90011 WARN (Charset Mismatch)
90022 WARN (Application Error Disclosure)
90030 WARN (WSDL File Passive Scanner)
90033 WARN (Loosely Scoped Cookie)
# Drupal specific ignores/outofscope settings
# Without JavaScfipt, it is not expected that the cookie can be exploited.
10010 IGNORE .*big_pipe/no-js.*
10011 IGNORE .*big_pipe/no-js.*
# Project specific ignores/outofscope settings