|
| 1 | +--- |
| 2 | +# A simple plan for performing an authenticated scan against OWASP crAPI. |
| 3 | +# The plan includes the request needed to register the user used for authentication. |
| 4 | +# The plan is intended to be run with ZAP in a Docker container connected to the correct network, |
| 5 | +# as per https://www.zaproxy.org/docs/testapps/crapi/ |
| 6 | +# If you are running this plan in the ZAP Desktop then change all instances of "crapi-web" to "localhost:8888" |
| 7 | +# (or whatever host:port that crAPI is accessible on) |
| 8 | +env: |
| 9 | + contexts: |
| 10 | + - name: crAPI |
| 11 | + urls: |
| 12 | + - http://crapi-web |
| 13 | + includePaths: |
| 14 | + - http://crapi-web.* |
| 15 | + authentication: |
| 16 | + method: browser |
| 17 | + parameters: |
| 18 | + loginPageUrl: http://crapi-web/login |
| 19 | + loginPageWait: 5 |
| 20 | + browserId: firefox |
| 21 | + stepDelay: 1 |
| 22 | + diagnostics: true |
| 23 | + steps: [] |
| 24 | + verification: |
| 25 | + method: poll |
| 26 | + loggedInRegex: \Q 200\E |
| 27 | + loggedOutRegex: \Q 404\E |
| 28 | + pollFrequency: 60 |
| 29 | + pollUnits: seconds |
| 30 | + pollUrl: http://crapi-web/identity/api/v2/user/dashboard |
| 31 | + pollPostData: "" |
| 32 | + pollAdditionalHeaders: |
| 33 | + - header: content-type |
| 34 | + value: application/json |
| 35 | + - header: referer |
| 36 | + value: http://crapi-web/login |
| 37 | + sessionManagement: |
| 38 | + method: headers |
| 39 | + parameters: |
| 40 | + Authorization: "Bearer {%json:token%}" |
| 41 | + technology: {} |
| 42 | + structure: {} |
| 43 | + users: |
| 44 | + |
| 45 | + credentials: |
| 46 | + password: Password123! |
| 47 | + |
| 48 | + parameters: {} |
| 49 | +jobs: |
| 50 | +- type: passiveScan-config |
| 51 | + parameters: {} |
| 52 | +- type: requestor |
| 53 | + parameters: |
| 54 | + user: "" |
| 55 | + requests: |
| 56 | + - url: http://crapi-web/identity/api/auth/signup |
| 57 | + method: POST |
| 58 | + headers: |
| 59 | + - Content-Type:application/json |
| 60 | + data: "{\"name\":\"test\",\"email\":\"[email protected]\",\"number\":\"1234567890\"\ |
| 61 | + ,\"password\":\"Password123!\"}" |
| 62 | + responseCode: 200 |
| 63 | +- type: spider |
| 64 | + parameters: |
| 65 | + context: crAPI |
| 66 | + |
| 67 | + logoutAvoidance: true |
| 68 | + tests: |
| 69 | + - name: At least 100 URLs found |
| 70 | + type: stats |
| 71 | + onFail: INFO |
| 72 | + statistic: automation.spider.urls.added |
| 73 | + operator: '>=' |
| 74 | + value: 100 |
| 75 | +- type: spiderAjax |
| 76 | + parameters: |
| 77 | + context: crAPI |
| 78 | + |
| 79 | + browserId: firefox-headless |
| 80 | + scopeCheck: Flexible |
| 81 | + logoutAvoidance: true |
| 82 | + tests: |
| 83 | + - name: At least 100 URLs found |
| 84 | + type: stats |
| 85 | + onFail: INFO |
| 86 | + statistic: spiderAjax.urls.added |
| 87 | + operator: '>=' |
| 88 | + value: 100 |
| 89 | +- type: passiveScan-wait |
| 90 | + parameters: {} |
| 91 | +- type: activeScan |
| 92 | + parameters: |
| 93 | + context: crAPI |
| 94 | + |
| 95 | + policyDefinition: |
| 96 | + defaultStrength: medium |
| 97 | + defaultThreshold: medium |
| 98 | +- parameters: |
| 99 | + template: "modern" |
| 100 | + reportTitle: "ZAP Scanning Report" |
| 101 | + reportDescription: "" |
| 102 | + name: "report" |
| 103 | + type: "report" |
0 commit comments