Merge pull request #495 from psiinon/main

Added crAPI plan and changed to use pollUnits: seconds

Author: thc202

other/CHANGELOG.md

@@ -3,6 +3,10 @@ All notable changes to the 'other' section of this repository will be documented
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+### 2025-10-03
+- Added af-plans/FullScanCrApiAuth.yaml
+- Changed auth AF plans to use seconds instead of requests for pollUnits.
+
 ### 2025-09-30
 - Added af-plans/FullScanGinNJuiceAuth.yaml
 

other/af-plans/AuthCheckBodgeit.yaml

@@ -22,7 +22,7 @@ env:
         loggedInRegex: "\\QUser: <a href=\"password.jsp\">\\E"
         loggedOutRegex: "\\QGuest user\\E"
         pollFrequency: 60
-        pollUnits: "requests"
+        pollUnits: "seconds"
         pollUrl: ""
         pollPostData: ""
     sessionManagement:

other/af-plans/FullScanCrApiAuth.yaml

@@ -0,0 +1,102 @@
+---
+# A simple plan for performing an authenticated scan against OWASP crAPI.
+# The plan includes the request needed to register the user used for authentication.
+# The plan is intended to be run with ZAP in a Docker container connected to the correct network,
+# as per https://www.zaproxy.org/docs/testapps/crapi/
+# If you are running this plan in the ZAP Desktop then change all instances of "crapi-web" to "localhost:8888"
+# (or whatever host:port that crAPI is accessible on)
+env:
+  contexts:
+  - name: crAPI
+    urls:
+    - http://crapi-web
+    includePaths:
+    - http://crapi-web.*
+    authentication:
+      method: browser
+      parameters:
+        loginPageUrl: http://crapi-web/login
+        loginPageWait: 5
+        browserId: firefox-headless
+        stepDelay: 1
+        steps: []
+      verification:
+        method: poll
+        loggedInRegex: \Q 200\E
+        loggedOutRegex: \Q 404\E
+        pollFrequency: 60
+        pollUnits: seconds
+        pollUrl: http://crapi-web/identity/api/v2/user/dashboard
+        pollPostData: ""
+        pollAdditionalHeaders:
+        - header: content-type
+          value: application/json
+        - header: referer
+          value: http://crapi-web/login
+    sessionManagement:
+      method: headers
+      parameters:
+        Authorization: "Bearer {%json:token%}"
+    technology: {}
+    structure: {}
+    users:
+    - name: [email protected]
+      credentials:
+        password: Password123!
+        username: [email protected]
+  parameters: {}
+jobs:
+- type: passiveScan-config
+  parameters: {}
+- type: requestor
+  parameters:
+    user: ""
+  requests:
+  - url: http://crapi-web/identity/api/auth/signup
+    method: POST
+    headers:
+    - Content-Type:application/json
+    data: "{\"name\":\"test\",\"email\":\"[email protected]\",\"number\":\"1234567890\"\
+      ,\"password\":\"Password123!\"}"
+    responseCode: 200
+- type: spider
+  parameters:
+    context: crAPI
+    user: [email protected]
+    logoutAvoidance: true
+  tests:
+  - name: At least 100 URLs found
+    type: stats
+    onFail: INFO
+    statistic: automation.spider.urls.added
+    operator: '>='
+    value: 100
+- type: spiderAjax
+  parameters:
+    context: crAPI
+    user: [email protected]
+    browserId: firefox-headless
+    scopeCheck: Flexible
+    logoutAvoidance: true
+  tests:
+  - name: At least 100 URLs found
+    type: stats
+    onFail: INFO
+    statistic: spiderAjax.urls.added
+    operator: '>='
+    value: 100
+- type: passiveScan-wait
+  parameters: {}
+- type: activeScan
+  parameters:
+    context: crAPI
+    user: [email protected]
+  policyDefinition:
+    defaultStrength: medium
+    defaultThreshold: medium
+- parameters:
+    template: "modern"
+    reportTitle: "ZAP Scanning Report"
+    reportDescription: ""
+  name: "report"
+  type: "report"

other/af-plans/FullScanDvwaAuth.yaml

@@ -27,7 +27,7 @@ env:
         method: "poll"
         loggedInRegex: "\\Qadmin\\E"
         pollFrequency: 60
-        pollUnits: "requests"
+        pollUnits: "seconds"
         pollUrl: "http://localhost:4280/instructions.php"
         pollPostData: ""
     sessionManagement:

other/af-plans/FullScanGinNJuiceAuth.yaml

@@ -22,7 +22,7 @@ env:
         loggedInRegex: \Q 200 OK\E
         loggedOutRegex: \Q 302 Found\E
         pollFrequency: 60
-        pollUnits: requests
+        pollUnits: seconds
         pollUrl: https://ginandjuice.shop/my-account
         pollPostData: ""
     sessionManagement: