Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: zaproxy/zap-extensions
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 58f25e1c9b12789aa3e19ea2a5fa0fffbd2af716
Choose a base ref
..
head repository: zaproxy/zap-extensions
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 81a36b43a81d352f1e5d3665c3d37aefef79a36f
Choose a head ref
Showing 1,774 changed files with 38,856 additions and 3,071 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -23,7 +23,7 @@ jobs:
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
- uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
- uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
with:
gradle-home-cache-includes: |
caches
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -35,7 +35,7 @@ jobs:
uses: github/codeql-action/autobuild@v3

- if: matrix.language == 'java'
uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
with:
cache-read-only: true
gradle-home-cache-includes: |
7 changes: 6 additions & 1 deletion addOns/addOns.gradle.kts
View file
Original file line number Diff line number Diff line change
@@ -150,6 +150,11 @@ subprojects {
exclude(group = "org.apache.logging.log4j", module = "log4j-1.2-api")
}

"runtimeClasspath" {
exclude(group = "org.apache.logging.log4j", module = "log4j-core")
exclude(group = "org.apache.logging.log4j", module = "log4j-api")
}

val zapAddOn by creating

"compileOnly" {
@@ -161,7 +166,7 @@ subprojects {
}
}

val zapGav = "org.zaproxy:zap:2.16.0-SNAPSHOT"
val zapGav = "org.zaproxy:zap:2.16.0"
dependencies {
"zap"(zapGav)
}
4 changes: 4 additions & 0 deletions addOns/alertFilters/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased


## [23] - 2025-01-09
### Changed
- Update minimum ZAP version to 2.16.0.
- Fields with default or missing values are omitted for the `alertFilter` job in saved Automation Framework plans.
@@ -146,6 +149,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

- First version

[23]: https://github.com/zaproxy/zap-extensions/releases/alertFilters-v23
[22]: https://github.com/zaproxy/zap-extensions/releases/alertFilters-v22
[21]: https://github.com/zaproxy/zap-extensions/releases/alertFilters-v21
[20]: https://github.com/zaproxy/zap-extensions/releases/alertFilters-v20
2 changes: 1 addition & 1 deletion addOns/alertFilters/gradle.properties
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
version=23
version=24
release=false
9 changes: 8 additions & 1 deletion addOns/ascanrules/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -5,6 +5,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag.

## [70] - 2025-01-09
### Changed
- Update minimum ZAP version to 2.16.0.
- Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules:
- Hidden File Finder
@@ -13,10 +17,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Add the `OUT_OF_BAND` alert tag to the following scan rules:
- Server Side Template Injection (Blind)
- XML External Entity Attack
- Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag.
- Cloud Metadata Attack scan rule is improved to support GCP, Azure, and OCI.
- Remove double dot in skipped message of a scan rule that uses the Active Scan OAST service.

### Fixed
- A situation where the Server-Side Template Injection (SSTI) scan rule might result in false positives related to the Go payloads (Issue 8622).
- False Positives in Cloud Metadata Attack scan rule (Issue 8514).

### Added
- Standardized Scan Policy related alert tags on the rule.
@@ -570,6 +576,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).



[70]: https://github.com/zaproxy/zap-extensions/releases/ascanrules-v70
[69]: https://github.com/zaproxy/zap-extensions/releases/ascanrules-v69
[68]: https://github.com/zaproxy/zap-extensions/releases/ascanrules-v68
[67]: https://github.com/zaproxy/zap-extensions/releases/ascanrules-v67
2 changes: 1 addition & 1 deletion addOns/ascanrules/gradle.properties
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
version=70
version=71
release=false
109 changes: 91 additions & 18 deletions .../ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java
View file
Original file line number Diff line number Diff line change
@@ -19,11 +19,11 @@
*/
package org.zaproxy.zap.extension.ascanrules;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.parosproxy.paros.Constant;
@@ -44,11 +44,6 @@ public class CloudMetadataScanRule extends AbstractHostPlugin implements CommonA
private static final String MESSAGE_PREFIX = "ascanrules.cloudmetadata.";

private static final int PLUGIN_ID = 90034;
private static final String METADATA_PATH = "/latest/meta-data/";
private static final List<String> METADATA_HOSTS =
Arrays.asList(
"169.254.169.254", "aws.zaproxy.org", "100.100.100.200", "alibaba.zaproxy.org");

private static final Logger LOGGER = LogManager.getLogger(CloudMetadataScanRule.class);
private static final Map<String, String> ALERT_TAGS;

@@ -63,6 +58,75 @@ public class CloudMetadataScanRule extends AbstractHostPlugin implements CommonA
ALERT_TAGS = Collections.unmodifiableMap(alertTags);
}

private enum CloudProvider {
AWS(
List.of(
new Endpoint("169.254.169.254", "/latest/meta-data/", Map.of()),
new Endpoint("aws.zaproxy.org", "/latest/meta-data/", Map.of())),
Set.of("ami-id", "instance-id", "local-hostname", "public-hostname")),
GCP(
List.of(
new Endpoint(
"169.254.169.254",
"/computeMetadata/v1/",
Map.of("Metadata-Flavor", "Google")),
new Endpoint(
"metadata.google.internal",
"/computeMetadata/v1/",
Map.of("Metadata-Flavor", "Google"))),
Set.of("project-id", "zone", "machineType", "hostname")),
OCI(
List.of(
new Endpoint("169.254.169.254", "/opc/v1/instance/", Map.of()),
new Endpoint("metadata.oraclecloud.com", "/opc/v1/instance/", Map.of())),
Set.of("oci", "instance", "availabilityDomain", "region")),
ALIBABA_CLOUD(
List.of(
new Endpoint("100.100.100.200", "/latest/meta-data/", Map.of()),
new Endpoint("alibaba.zaproxy.org", "/latest/meta-data/", Map.of())),
Set.of("image-id", "instance-id", "hostname", "region-id")),
AZURE(
List.of(
new Endpoint(
"169.254.169.254",
"/metadata/instance",
Map.of("Metadata", "true"))),
Set.of("compute", "network", "osType", "vmSize"));

private final List<Endpoint> endpoints;
private final Set<String> indicators;

CloudProvider(List<Endpoint> endpoints, Set<String> indicators) {
this.endpoints = endpoints;
this.indicators = indicators;
}

public List<Endpoint> getEndpoints() {
return endpoints;
}

public boolean containsMetadataIndicators(String responseBody) {
for (String indicator : indicators) {
if (responseBody.contains(indicator)) {
return true;
}
}
return false;
}

private static class Endpoint {
String host;
String path;
Map<String, String> headers;

Endpoint(String host, String path, Map<String, String> headers) {
this.host = host;
this.path = path;
this.headers = headers;
}
}
}

@Override
public int getId() {
return PLUGIN_ID;
@@ -105,26 +169,35 @@ public Map<String, String> getAlertTags() {

public AlertBuilder createAlert(HttpMessage newRequest, String host) {
return newAlert()
.setConfidence(Alert.CONFIDENCE_LOW)
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setAttack(host)
.setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "otherinfo"))
.setMessage(newRequest);
}

@Override
public void scan() {
HttpMessage newRequest = getNewMsg();
for (String host : METADATA_HOSTS) {
try {
newRequest.getRequestHeader().getURI().setPath(METADATA_PATH);
newRequest.setUserObject(Collections.singletonMap("host", host));
sendAndReceive(newRequest, false);
if (isSuccess(newRequest) && newRequest.getResponseBody().length() > 0) {
this.createAlert(newRequest, host).raise();
return;
for (CloudProvider provider : CloudProvider.values()) {
for (CloudProvider.Endpoint endpoint : provider.getEndpoints()) {
HttpMessage newRequest = getNewMsg();
try {
newRequest.getRequestHeader().getURI().setPath(endpoint.path);
newRequest.setUserObject(Collections.singletonMap("host", endpoint.host));
for (Map.Entry<String, String> header : endpoint.headers.entrySet()) {
newRequest.getRequestHeader().setHeader(header.getKey(), header.getValue());
}
sendAndReceive(newRequest, false);
if (isSuccess(newRequest) && newRequest.getResponseBody().length() > 0) {
String responseBody = newRequest.getResponseBody().toString();
if (provider.containsMetadataIndicators(responseBody)) {
this.createAlert(newRequest, endpoint.host).raise();
return;
}
}
} catch (Exception e) {
LOGGER.warn(
"Error sending request to {}: {}", endpoint.host, e.getMessage(), e);
}
} catch (Exception e) {
LOGGER.warn("Error sending URL {}", newRequest.getRequestHeader().getURI(), e);
}
}
}
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_ar_SA/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_az_AZ/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_bs_BA/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_da_DK/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_de_DE/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_el_GR/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_es_ES/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_fa_IR/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...ahelp/org/zaproxy/zap/extension/ascanrules/resources/help_fil_PH/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_fr_FR/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_hi_IN/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_hu_HU/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_id_ID/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_it_IT/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_ja_JP/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_ms_MY/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_pl_PL/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_pt_BR/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_ro_RO/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_ru_RU/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_sr_CS/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_tr_TR/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
8 changes: 6 additions & 2 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_ur_PK/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -178,7 +178,9 @@ <h2 id="id-40035">Hidden File Finder</h2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
@@ -443,7 +445,9 @@ <h2 id="id-40029">Trace.axd Information Leak</h2>

<h2 id="id-10104">User Agent Fuzzer</h2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
12 changes: 8 additions & 4 deletions ...vahelp/org/zaproxy/zap/extension/ascanrules/resources/help_zh_CN/contents/ascanrules.html
View file
Original file line number Diff line number Diff line change
@@ -154,8 +154,10 @@ <h2 id="id-40035">隐藏文件查找器</h2>。
最初包含的有效负载基于汉诺-博克(Hanno Böck)的<a href="https://github.com/hannob/snallygaster">Snallygaster</a>
此类有效负载通过检查响应代码和内容进行验证。 如果响应代码为 200(OK),则会执行额外的内容检查,以提高警报的可信度。
如果响应代码为 401(未授权)或 403(禁止)或内容检查不成功,则会以较低的置信度(低阈值)发出警报。
<strong>注意:</strong>如果安装了自定义有效负载插件,则可以在自定义有效负载选项面板中添加自己的隐藏文件路径(有效负载)。
对于自定义有效负载,只检查响应状态代码。 如果需要包含内容检查,也可以将有效负载添加到 ZAP用户目录中的<code>json/hidden_files.json</code>文件中添加有效负载(在这种情况下,它们将被视为包含的有效负载)。
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
For custom payloads only the response status code is checked. 如果需要包含内容检查,也可以将有效负载添加到 ZAP用户目录中的<code>json/hidden_files.json</code>文件中添加有效负载(在这种情况下,它们将被视为包含的有效负载)。
<p>
下面介绍 JSON 条目的字段。
<pre><code>
@@ -388,8 +390,10 @@ <h2 id="id-40029">Trace.axd 信息泄露</h2>
警报 ID: <a href="https://www.zaproxy.org/docs/alerts/40029/">40029</a>.

<h2 id="id-10104">用户代理模糊器 (Fuzzer)</h2>
此活动扫描规则根据模糊用户代理检查响应的差异(例如: 移动网站,作为搜索引擎爬虫访问)。 该规则将响应状态代码和响应正文的哈希代码与原始响应进行比较。
<strong>注意:</strong>如果安装了自定义负载插件,则可以在自定义负载选项面板中添加自己的用户代理字符串(负载)。
此活动扫描规则根据模糊用户代理检查响应的差异(例如: 移动网站,作为搜索引擎爬虫访问)。 The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<br>
The Custom Payloads category for this rule is: <code>User-Agent</code>.
<p>
最新代码: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
2 changes: 1 addition & 1 deletion ...les/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ar_SA.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_az_AZ.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bn_BD.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bs_BA.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion .../main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ceb_PH.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_da_DK.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_de_DE.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_el_GR.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_es_ES.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Actualiza Log4j2 a la versi\u00f3n 2.17.1 o una superior.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no se ha seleccionado ning\u00fan servicio de Escaneo Activo OAST.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Reglas de Escaneo Activas

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fa_IR.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion .../main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fil_PH.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fr_FR.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = R\u00e8gles d'analyse active

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ha_HG.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_he_IL.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hi_IN.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hr_HR.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hu_HU.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_id_ID.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_it_IT.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Regole di Scansione Attiva

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ja_JP.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ko_KR.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_mk_MK.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ms_MY.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nb_NO.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nl_NL.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion .../main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pcm_NG.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pl_PL.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_BR.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_PT.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ro_RO.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ru_RU.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = \u041e\u0431\u043d\u043e\u0432\u0438\u0442\u0435 Log4j2 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.17.1 \u0438\u043b\u0438 \u043d\u043e\u0432\u0435\u0435.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = \u041f\u0440\u0430\u0432\u0438\u043b\u0430 \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_si_LK.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sk_SK.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sl_SI.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sq_AL.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_CS.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_SP.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_tr_TR.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_uk_UA.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = \u041e\u043d\u043e\u0432\u0456\u0442\u044c Log4j2 \u0434\u043e \u0432\u0435\u0440\u0441\u0456\u0457 2.17.1 \u0430\u0431\u043e \u0432\u0438\u0449\u0435.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = \u043d\u0435 \u0432\u0438\u0431\u0440\u0430\u043d\u043e \u0441\u043b\u0443\u0436\u0431\u0443 Active Scan OAST.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = \u041f\u0440\u0430\u0432\u0438\u043b\u0430 \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0441\u043a\u0430\u043d\u0443\u0432\u0430\u043d\u043d\u044f

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ur_PK.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_vi_VN.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_yo_NG.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_CN.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = \u5c06 Log4j2 \u5347\u7ea7\u5230\u7248\u672c 2.17.1 \u6216\u66f4\u65b0\u7248\u672c\u3002
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = \u672a\u9009\u62e9\u4e3b\u52a8\u626b\u63cf OAST \u670d\u52a1\u3002
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = \u4e3b\u52a8\u626b\u63cf\u89c4\u5219

2 changes: 1 addition & 1 deletion ...c/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_TW.properties
View file
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ ascanrules.log4shell.cve45046.name = Log4Shell (CVE-2021-45046)
ascanrules.log4shell.cve45046.refs = https\://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps\://nvd.nist.gov/vuln/detail/CVE-2021-45046
ascanrules.log4shell.cve45046.soln = Upgrade Log4j2 to version 2.17.1 or newer.
ascanrules.log4shell.name = Log4Shell
ascanrules.log4shell.skipped = no Active Scan OAST service is selected.
ascanrules.log4shell.skipped = no Active Scan OAST service is selected

ascanrules.name = Active Scan Rules

75 changes: 70 additions & 5 deletions ...les/src/test/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
@@ -71,10 +71,8 @@ void shouldNotAlertIfResponseIsNot200Ok() throws Exception {
strings = {
"169.254.169.254",
"aws.zaproxy.org",
"100.100.100.200",
"alibaba.zaproxy.org"
})
void shouldAlertIfResponseIs200Ok(String host) throws Exception {
void shouldAlertIfResponseIs200OkAWS(String host) throws Exception {
// Given
String path = "/latest/meta-data/";
// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
@@ -88,7 +86,74 @@ void shouldAlertIfResponseIs200Ok(String host) throws Exception {
assertThat(alertsRaised, hasSize(1));
Alert alert = alertsRaised.get(0);
assertEquals(Alert.RISK_HIGH, alert.getRisk());
assertEquals(Alert.CONFIDENCE_LOW, alert.getConfidence());
assertEquals(Alert.CONFIDENCE_MEDIUM, alert.getConfidence());
assertEquals(host, alert.getAttack());
}

@ParameterizedTest
@ValueSource(
strings = {
"100.100.100.200",
"alibaba.zaproxy.org",
})
void shouldAlertIfResponseIs200OkAlibabaCloud(String host) throws Exception {
// Given
String path = "/latest/meta-data/";
String body = "image-id\ninstance-id";
this.nano.addHandler(createHandler(path, Response.Status.OK, body, host));
HttpMessage msg = this.getHttpMessage(path);
rule.init(msg, this.parent);
// When
rule.scan();
// Then
assertThat(alertsRaised, hasSize(1));
Alert alert = alertsRaised.get(0);
assertEquals(Alert.RISK_HIGH, alert.getRisk());
assertEquals(Alert.CONFIDENCE_MEDIUM, alert.getConfidence());
assertEquals(host, alert.getAttack());
}

@ParameterizedTest
@ValueSource(
strings = {
"169.254.169.254",
})
void shouldAlertIfResponseIs200OkGCP(String host) throws Exception {
// Given
String path = "/computeMetadata/v1/";
String body = "project-id";
this.nano.addHandler(createHandler(path, Response.Status.OK, body, host));
HttpMessage msg = this.getHttpMessage(path);
rule.init(msg, this.parent);
// When
rule.scan();
// Then
assertThat(alertsRaised, hasSize(1));
Alert alert = alertsRaised.get(0);
assertEquals(Alert.RISK_HIGH, alert.getRisk());
assertEquals(Alert.CONFIDENCE_MEDIUM, alert.getConfidence());
assertEquals(host, alert.getAttack());
}

@ParameterizedTest
@ValueSource(
strings = {
"169.254.169.254",
})
void shouldAlertIfResponseIs200OkAzure(String host) throws Exception {
// Given
String path = "/metadata/instance";
String body = "osType";
this.nano.addHandler(createHandler(path, Response.Status.OK, body, host));
HttpMessage msg = this.getHttpMessage(path);
rule.init(msg, this.parent);
// When
rule.scan();
// Then
assertThat(alertsRaised, hasSize(1));
Alert alert = alertsRaised.get(0);
assertEquals(Alert.RISK_HIGH, alert.getRisk());
assertEquals(Alert.CONFIDENCE_MEDIUM, alert.getConfidence());
assertEquals(host, alert.getAttack());
}

@@ -122,7 +187,7 @@ void shouldReturnExpectedExampleAlert() {
assertThat(alerts.size(), is(equalTo(1)));
Alert alert1 = alerts.get(0);
assertThat(alert1.getRisk(), is(equalTo(Alert.RISK_HIGH)));
assertThat(alert1.getConfidence(), is(equalTo(Alert.CONFIDENCE_LOW)));
assertThat(alert1.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
}

private static NanoServerHandler createHandler(
1 change: 1 addition & 0 deletions addOns/ascanrulesBeta/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- The following scan rules now use more specific CWE IDs:
- Proxy Disclosure (Issue 8713)
- Possible Username Enumeration (Issue 8715)
- Remove double dot in skipped message of scan rules that use the Active Scan OAST service.
- The Shell Shock scan rule now has the TEST_TIMING alert tag.

### Fixed
6 changes: 3 additions & 3 deletions ...src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties
View file
Original file line number Diff line number Diff line change
@@ -123,7 +123,7 @@ ascanbeta.noanticsrftokens.desc = No Anti-CSRF tokens were found in a HTML submi
ascanbeta.noanticsrftokens.name = Absence of Anti-CSRF Tokens

ascanbeta.oobxss.name = Out of Band XSS
ascanbeta.oobxss.skipped = no Active Scan OAST service is selected.
ascanbeta.oobxss.skipped = no Active Scan OAST service is selected

ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.
ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.
@@ -232,13 +232,13 @@ ascanbeta.ssrf.desc = The web server receives a remote address and retrieves the
ascanbeta.ssrf.name = Server Side Request Forgery
ascanbeta.ssrf.otherinfo.canaryinbody = The canary token from the out-of-band service was found in the response body.
ascanbeta.ssrf.refs = https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
ascanbeta.ssrf.skipped = no Active Scan OAST service is selected.
ascanbeta.ssrf.skipped = no Active Scan OAST service is selected
ascanbeta.ssrf.soln = Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.

ascanbeta.text4shell.desc = Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.The application has been shown to initial contact with remote servers via variable interpolation and may well be vulnerable to Remote Code Execution (RCE).
ascanbeta.text4shell.name = Text4shell (CVE-2022-42889)
ascanbeta.text4shell.refs = https://nvd.nist.gov/vuln/detail/CVE-2022-42889\nhttps://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
ascanbeta.text4shell.skipped = no Active Scan OAST service is selected.
ascanbeta.text4shell.skipped = no Active Scan OAST service is selected
ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer.

ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field: [{1}] and monitor the output
4 changes: 4 additions & 0 deletions addOns/authhelper/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased


## [0.17.0] - 2025-01-09
### Changed
- Update minimum ZAP version to 2.16.0.
- Depend on Passive Scanner add-on (Issue 7959).
@@ -117,6 +120,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Added
- Support of authentication request identification and configuration.

[0.17.0]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.17.0
[0.16.0]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.16.0
[0.15.1]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.15.1
[0.15.0]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.15.0
2 changes: 1 addition & 1 deletion addOns/authhelper/gradle.properties
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
version=0.17.0
version=0.18.0
release=false
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ar_SA.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = اختبار

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_az_AZ.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_bn_BD.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_bs_BA.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...lper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ceb_PH.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_da_DK.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_de_DE.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_el_GR.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_es_ES.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Prueba

authhelper.auth.test.dialog.title = Tester de autenticación

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Ayuda de Autenticación

authhelper.name = Ayuda de Autenticación
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_fa_IR.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...lper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_fil_PH.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Ang pagsubok

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_fr_FR.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ha_HG.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_he_IL.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_hi_IN.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_hr_HR.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_hu_HU.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Teszt

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_id_ID.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Uji

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_it_IT.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ja_JP.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = テスト

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ko_KR.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_mk_MK.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ms_MY.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_nb_NO.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_nl_NL.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...lper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_pcm_NG.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_pl_PL.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_pt_BR.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Teste

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_pt_PT.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ro_RO.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ru_RU.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Тест

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_si_LK.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_sk_SK.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_sl_SI.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_sq_AL.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_sr_CS.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Tester Autentifikacije

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_sr_SP.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_tr_TR.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_uk_UA.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Перевірити

authhelper.auth.test.dialog.title = Тестувальник автентифікації

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Помічник автентифікації

authhelper.name = Помічник автентифікації
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_ur_PK.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_vi_VN.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_yo_NG.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_zh_CN.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = 测试

authhelper.auth.test.dialog.title = 身份验证测试器

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = 身份验证助手

authhelper.name = 身份验证助手
3 changes: 3 additions & 0 deletions ...elper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages_zh_TW.properties
View file
Original file line number Diff line number Diff line change
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = 測試

authhelper.auth.test.dialog.title = Authentication Tester

authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
authhelper.client.name = Client Spider Browser Based Authentication Support

authhelper.desc = Authentication Helper

authhelper.name = Authentication Helper
5 changes: 5 additions & 0 deletions addOns/automation/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -4,6 +4,10 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Fixed
- Address malformed HTML in the help.

## [0.44.0] - 2025-01-09
### Added
- Active scan policy job.
- Add job to configure the active scanner, `activeScan-config`.
@@ -451,6 +455,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

- First version.

[0.44.0]: https://github.com/zaproxy/zap-extensions/releases/automation-v0.44.0
[0.43.0]: https://github.com/zaproxy/zap-extensions/releases/automation-v0.43.0
[0.42.0]: https://github.com/zaproxy/zap-extensions/releases/automation-v0.42.0
[0.41.0]: https://github.com/zaproxy/zap-extensions/releases/automation-v0.41.0
2 changes: 1 addition & 1 deletion addOns/automation/gradle.properties
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
version=0.44.0
version=0.45.0
release=false
2 changes: 1 addition & 1 deletion ...on/src/main/javahelp/org/zaproxy/addon/automation/resources/help/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -86,7 +86,7 @@ <H3>Importance of Job Order</H3>
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>
</ul>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
40 changes: 30 additions & 10 deletions .../main/javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,9 @@
<BODY>
<H1>Automation Framework</H1>
This add-on provides a framework that allows ZAP to be automated in an easy and flexible way.
<p>

<H3><a name="command-line-options">Command Line Options</a></H3>

It provides the following command line options:
<ul>
<li>-autorun &lt;source&gt; Run the automation jobs specified in the file or from the URL.
@@ -17,57 +19,75 @@ <H1>Automation Framework</H1>
<li>-autogenconf &lt;filename&gt; Generate template automation file using the current configuration.
</ul>

If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set as follows:
<H3><a name="exit-codes">Exit Codes</a></H3>
If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set by default as follows:
<ul>
<li>0 - The plan completed successfully with no errors or warnings
<li>1 - The plan reported one or more errors
<li>2 - The plan reported no errors but one or more warnings
</ul>
These values can be overridden by the <a href="job-exitstatus.html">exitStatus</a> job.<br>
Whether the plan completed after encountering errors or warnings will depend on the settings used in the <a href="environment.html">environment</a>.
<p>

<H3><a name="usage">Usage</a></H3>
To use the automation framework:
<ol>
<li>Generate a template automation file using one of the <code>-autogen*</code> command line options
<li>Edit the file to match your requirements
<li>Run the file using the <code>-autorun</code> commandline option e.g. <code>./zap.sh -cmd -autorun config.yaml</code>
</ol>

<strong>Note:</strong> The Jobs are executed in the order in which they appear (top to bottom) within the Plan.
<p>
In most cases it is recommended to also use the <code>-cmd</code> command line option so that the ZAP desktop is not displayed
and ZAP exits as soon as it has finished generating or running the jobs defined in the file.
However you can choose to run Automation Framework jobs using the ZAP desktop to help you debug issues.

<H2>Authentication</H2>
<H2><a name="authentication">Authentication</a></H2>
The Automation Framework supports all of the <a href="authentication.html">authentication</a> mechanisms supported by ZAP.

<H2>GUI</H2>
<H2><a name="gui">GUI</a></H2>
A <a href="gui.html">GUI</a> is under development and provides an ever increasing set of features.

<H2>Options</H2>
<H2><a name="options">Options</a></H2>
The <a href="options.html">Automation Options</a> screen allows you to configure specific options.

<H2>API</H2>
<H2><a name="api">API</a></H2>
The following API endpoints are provided by this add-on:
<ul>
<li>Action: runPlan(filePath) - loads and asynchronously runs the plan in the specified file, returning a planId</li>
<li>View: planProgress(planId) - returns the progress details for the specified planId</li>
</ul>
If the ZAP desktop is being used then the plan will also be shown in the GUI to make it easier to diagnose any problems.

<H2>Environment</H2>
<H2><a name="environment">Environment</a></H2>
The <a href="environment.html">environment</a> section of the file defines the applications which the rest of the jobs can act on.

<H2>File Paths</H2>
<H2><a name="file-paths">File Paths</a></H2>
All file and directory paths can either be absolute or relative to the directory containing the plan.
Relative paths are recommended for portability.

<H2>Jobs</H2>
<H2><a name="jobs">Jobs</a></H2>
The jobs can be enabled/disabled through the GUI and the automation plan, with the <code>enabled</code> flag. Jobs are enabled by default.
<p>
The following automation jobs are supported by this add-on:
<ul>
<li><a href="job-ascanconfig.html">activeScan-config</a> - configures the active scanner</li>
<li><a href="job-ascanpolicy.html">activeScan-policy</a> - creates an active policy</li>
<li><a href="job-addons.html">addOns</a> - add-on management, now deprecated</li>
<li><a href="job-delay.html">delay</a> - pauses the plan for a specified period of time or a specific condition is met</li>
<li><a href="job-requestor.html">requestor</a> - crafts specific requests to send to the corresponding targets</li>
<li><a href="job-ascan.html">activeScan</a> - runs the active scanner</li>
<li><a href="job-exitstatus.html">exitStatus</a> - sets ZAP's exit code based on scan results</li>
</ul>

<H3>Importance of Job Order</H3>
The order of jobs is relevant and important. For example:
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
<p>
8 changes: 7 additions & 1 deletion ...c/main/javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/contents/job-ascan.html
View file
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ <H2>YAML</H2>
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
threadPerHost: # Int: The max number of threads per host, default: 2 * Number of available processor cores
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
@@ -44,6 +44,12 @@ <H2>YAML</H2>
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

<strong>Note</strong>: Unless the <code>defaultThreshold</code> of the <code>policyDefinition</code> is <code>OFF</code> all rules will be enabled to start with.

<p>
The policy can be one defined by a previous <a href="job-ascanpolicy.html">activeScan-policy</a> job, or by a scan policy file
that has been put in <code>policies</code> directory under ZAP's <a href="https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/">HOME directory</a> .

<H2>Job Data</H2>
The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on.
Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.
51 changes: 51 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/contents/job-ascanconfig.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-config Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-config Job</H1>

This job configures the active scanner, for custom active scans (e.g. Sequence).

<H2>YAML</H2>

<pre>
- type: activeScan-config # Configures the settings of the active scanner.
parameters:
maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
inputVectors: # The input vectors used during the active scan.
urlQueryStringAndDataDrivenNodes: # Configures the scanning of query parameters and DDNs.
enabled: # Bool: If query parameters and DDNs scanning should be enabled. Default: true
addParam: # Bool: If a query parameter should be added if none present. Default: false
odata: # Bool: If OData query filters should be scanned. Default: true
postData: # Configures the scanning of request bodies.
enabled: # Bool: If enabled. Default: true
multiPartFormData: # Bool: If multipart form data bodies should be scanned. Default: true
xml: # Bool: If XML bodies should be scanned. Default: true
json: # Configures the scanning of JSON bodies.
enabled: # Bool: If JSON scanning should be enabled. Default: true
scanNullValues: # Bool: If null values should be scanned. Default: false
googleWebToolkit: # Bool: If GWT scanning should be enabled. Default: false
directWebRemoting: # Bool: If DWR scanning should be enabled. Default: false
urlPath: # Bool: If URL path segments should be scanned. Default: false
httpHeaders: # Configures the scanning of HTTP headers.
enabled: # Bool: If HTTP header scanning should be enabled. Default: false
allRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
cookieData: # Configures the scanning of cookies.
enabled: # Bool: If enabled. Default: false
encodeCookieValues: # Bool: If cookie values should be encoded. Default: false
scripts: # Bool: If Input Vector scripts should be used. Default: true
</pre>

</BODY>
</HTML>

32 changes: 32 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/contents/job-ascanpolicy.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-policy Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-policy Job</H1>

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs,
like <a href="job-ascan.html">activeScan</a> job.

<H2>YAML</H2>

<pre>
- type: activeScan-policy # Defines a new active scan policy which can be used by later activeScan related jobs
parameters:
name: # String: Name of the policy, mandatory
policyDefinition: # The policy definition
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

</BODY>
</HTML>

37 changes: 37 additions & 0 deletions ...n/javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/contents/job-exitstatus.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - exitStatus Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - exitStatus Job</H1>

This job sets <a href="automation.html#exit-codes">ZAP's exit code</a> based on scan results.
It also allows you to choose which exit values are used.
It should typically be the last job in a plan.
<p>
If warnLevel or errorLevel are set then the job will report a warning or error if any alerts
are raised which have the same risk level or greater.
<p>
By default when ZAP is run with the <code>-cmd</code> and <code>-autorun</code> options then it will
exit with a 1 if there are any errors, with a 2 if there are any warnings, and if everything is ok
then it will exit with a 0.
These values can be overriden by the <code>*ExitValue</code> options. The <code>*ExitValues</code> can be used together
with the warn/errorLevel or completely independently of them.

<H2>YAML</H2>

<pre>
- type: exitStatus # Sets the exit code based on scan results
parameters:
errorLevel: # String: Informational, Low, Medium, High, default: not set
warnLevel: # String: Informational, Low, Medium, High, default: not set
okExitValue: # Integer: Exit value if all ok, default 0
errorExitValue: # Integer: Exit value if there are errors, default 1
warnExitValue: # Integer: Exit value if there are warnings, default 2
</pre>

</BODY>
</HTML>
3 changes: 2 additions & 1 deletion ...in/javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/contents/job-requestor.html
View file
Original file line number Diff line number Diff line change
@@ -21,11 +21,12 @@ <H2>YAML</H2>
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of additional headers to include in the request
- "header1:value1"
data: # String: Optional data to send in the request body
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
</pre>

5 changes: 5 additions & 0 deletions .../automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/index.xml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,12 @@
<indexitem text="automation - environment" target="automation.env"/>
<indexitem text="automation - authentication" target="automation.auth"/>
<indexitem text="automation - addOns job" target="automation.addons"/>
<indexitem text="automation - activeScan-config job" target="automation.ascanconfig"/>
<indexitem text="automation - activeScan-policy job" target="automation.ascanpolicy"/>
<indexitem text="automation - activeScan job" target="automation.ascan"/>
<indexitem text="automation - delay job" target="automation.delay"/>
<indexitem text="automation - exitStatus job" target="automation.exitstatus"/>
<indexitem text="automation - requestor job" target="automation.requestor"/>
<indexitem text="automation - about" target="automation.about"/>
<indexitem text="automation - tests" target="automation.tests"/>
<indexitem text="automation - alert test" target="automation.test.alert"/>
5 changes: 5 additions & 0 deletions ...ns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_ar_SA/toc.xml
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,12 @@
<tocitem text="Environment" target="automation.env"/>
<tocitem text="Authentication" target="automation.auth"/>
<tocitem text="Job: addOns" target="automation.addons"/>
<tocitem text="Job: activeScan-config" target="automation.ascanconfig"/>
<tocitem text="Job: activeScan-policy" target="automation.ascanpolicy"/>
<tocitem text="Job: activeScan" target="automation.ascan"/>
<tocitem text="Job: delay" target="automation.delay"/>
<tocitem text="Job: exitstatus" target="automation.exitstatus"/>
<tocitem text="Job: requestor" target="automation.requestor"/>
<tocitem text="Tests" target="automation.tests"/>
<tocitem text="Test: alert" target="automation.tests.alert"/>
<tocitem text="Test: monitor" target="automation.tests.monitor"/>
40 changes: 30 additions & 10 deletions .../main/javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,9 @@
<BODY>
<H1>Automation Framework</H1>
This add-on provides a framework that allows ZAP to be automated in an easy and flexible way.
<p>

<H3><a name="command-line-options">Command Line Options</a></H3>

It provides the following command line options:
<ul>
<li>-autorun &lt;source&gt; Run the automation jobs specified in the file or from the URL.
@@ -17,57 +19,75 @@ <H1>Automation Framework</H1>
<li>-autogenconf &lt;filename&gt; Generate template automation file using the current configuration.
</ul>

If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set as follows:
<H3><a name="exit-codes">Exit Codes</a></H3>
If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set by default as follows:
<ul>
<li>0 - The plan completed successfully with no errors or warnings
<li>1 - The plan reported one or more errors
<li>2 - The plan reported no errors but one or more warnings
</ul>
These values can be overridden by the <a href="job-exitstatus.html">exitStatus</a> job.<br>
Whether the plan completed after encountering errors or warnings will depend on the settings used in the <a href="environment.html">environment</a>.
<p>

<H3><a name="usage">Usage</a></H3>
To use the automation framework:
<ol>
<li>Generate a template automation file using one of the <code>-autogen*</code> command line options
<li>Edit the file to match your requirements
<li>Run the file using the <code>-autorun</code> commandline option e.g. <code>./zap.sh -cmd -autorun config.yaml</code>
</ol>

<strong>Note:</strong> The Jobs are executed in the order in which they appear (top to bottom) within the Plan.
<p>
In most cases it is recommended to also use the <code>-cmd</code> command line option so that the ZAP desktop is not displayed
and ZAP exits as soon as it has finished generating or running the jobs defined in the file.
However you can choose to run Automation Framework jobs using the ZAP desktop to help you debug issues.

<H2>Authentication</H2>
<H2><a name="authentication">Authentication</a></H2>
The Automation Framework supports all of the <a href="authentication.html">authentication</a> mechanisms supported by ZAP.

<H2>GUI</H2>
<H2><a name="gui">GUI</a></H2>
A <a href="gui.html">GUI</a> is under development and provides an ever increasing set of features.

<H2>Options</H2>
<H2><a name="options">Options</a></H2>
The <a href="options.html">Automation Options</a> screen allows you to configure specific options.

<H2>API</H2>
<H2><a name="api">API</a></H2>
The following API endpoints are provided by this add-on:
<ul>
<li>Action: runPlan(filePath) - loads and asynchronously runs the plan in the specified file, returning a planId</li>
<li>View: planProgress(planId) - returns the progress details for the specified planId</li>
</ul>
If the ZAP desktop is being used then the plan will also be shown in the GUI to make it easier to diagnose any problems.

<H2>Environment</H2>
<H2><a name="environment">Environment</a></H2>
The <a href="environment.html">environment</a> section of the file defines the applications which the rest of the jobs can act on.

<H2>File Paths</H2>
<H2><a name="file-paths">File Paths</a></H2>
All file and directory paths can either be absolute or relative to the directory containing the plan.
Relative paths are recommended for portability.

<H2>Jobs</H2>
<H2><a name="jobs">Jobs</a></H2>
The jobs can be enabled/disabled through the GUI and the automation plan, with the <code>enabled</code> flag. Jobs are enabled by default.
<p>
The following automation jobs are supported by this add-on:
<ul>
<li><a href="job-ascanconfig.html">activeScan-config</a> - configures the active scanner</li>
<li><a href="job-ascanpolicy.html">activeScan-policy</a> - creates an active policy</li>
<li><a href="job-addons.html">addOns</a> - add-on management, now deprecated</li>
<li><a href="job-delay.html">delay</a> - pauses the plan for a specified period of time or a specific condition is met</li>
<li><a href="job-requestor.html">requestor</a> - crafts specific requests to send to the corresponding targets</li>
<li><a href="job-ascan.html">activeScan</a> - runs the active scanner</li>
<li><a href="job-exitstatus.html">exitStatus</a> - sets ZAP's exit code based on scan results</li>
</ul>

<H3>Importance of Job Order</H3>
The order of jobs is relevant and important. For example:
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
<p>
8 changes: 7 additions & 1 deletion ...c/main/javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/contents/job-ascan.html
View file
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ <H2>YAML</H2>
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
threadPerHost: # Int: The max number of threads per host, default: 2 * Number of available processor cores
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
@@ -44,6 +44,12 @@ <H2>YAML</H2>
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

<strong>Note</strong>: Unless the <code>defaultThreshold</code> of the <code>policyDefinition</code> is <code>OFF</code> all rules will be enabled to start with.

<p>
The policy can be one defined by a previous <a href="job-ascanpolicy.html">activeScan-policy</a> job, or by a scan policy file
that has been put in <code>policies</code> directory under ZAP's <a href="https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/">HOME directory</a> .

<H2>Job Data</H2>
The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on.
Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.
51 changes: 51 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/contents/job-ascanconfig.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-config Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-config Job</H1>

This job configures the active scanner, for custom active scans (e.g. Sequence).

<H2>YAML</H2>

<pre>
- type: activeScan-config # Configures the settings of the active scanner.
parameters:
maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
inputVectors: # The input vectors used during the active scan.
urlQueryStringAndDataDrivenNodes: # Configures the scanning of query parameters and DDNs.
enabled: # Bool: If query parameters and DDNs scanning should be enabled. Default: true
addParam: # Bool: If a query parameter should be added if none present. Default: false
odata: # Bool: If OData query filters should be scanned. Default: true
postData: # Configures the scanning of request bodies.
enabled: # Bool: If enabled. Default: true
multiPartFormData: # Bool: If multipart form data bodies should be scanned. Default: true
xml: # Bool: If XML bodies should be scanned. Default: true
json: # Configures the scanning of JSON bodies.
enabled: # Bool: If JSON scanning should be enabled. Default: true
scanNullValues: # Bool: If null values should be scanned. Default: false
googleWebToolkit: # Bool: If GWT scanning should be enabled. Default: false
directWebRemoting: # Bool: If DWR scanning should be enabled. Default: false
urlPath: # Bool: If URL path segments should be scanned. Default: false
httpHeaders: # Configures the scanning of HTTP headers.
enabled: # Bool: If HTTP header scanning should be enabled. Default: false
allRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
cookieData: # Configures the scanning of cookies.
enabled: # Bool: If enabled. Default: false
encodeCookieValues: # Bool: If cookie values should be encoded. Default: false
scripts: # Bool: If Input Vector scripts should be used. Default: true
</pre>

</BODY>
</HTML>

32 changes: 32 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/contents/job-ascanpolicy.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-policy Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-policy Job</H1>

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs,
like <a href="job-ascan.html">activeScan</a> job.

<H2>YAML</H2>

<pre>
- type: activeScan-policy # Defines a new active scan policy which can be used by later activeScan related jobs
parameters:
name: # String: Name of the policy, mandatory
policyDefinition: # The policy definition
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

</BODY>
</HTML>

37 changes: 37 additions & 0 deletions ...n/javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/contents/job-exitstatus.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - exitStatus Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - exitStatus Job</H1>

This job sets <a href="automation.html#exit-codes">ZAP's exit code</a> based on scan results.
It also allows you to choose which exit values are used.
It should typically be the last job in a plan.
<p>
If warnLevel or errorLevel are set then the job will report a warning or error if any alerts
are raised which have the same risk level or greater.
<p>
By default when ZAP is run with the <code>-cmd</code> and <code>-autorun</code> options then it will
exit with a 1 if there are any errors, with a 2 if there are any warnings, and if everything is ok
then it will exit with a 0.
These values can be overriden by the <code>*ExitValue</code> options. The <code>*ExitValues</code> can be used together
with the warn/errorLevel or completely independently of them.

<H2>YAML</H2>

<pre>
- type: exitStatus # Sets the exit code based on scan results
parameters:
errorLevel: # String: Informational, Low, Medium, High, default: not set
warnLevel: # String: Informational, Low, Medium, High, default: not set
okExitValue: # Integer: Exit value if all ok, default 0
errorExitValue: # Integer: Exit value if there are errors, default 1
warnExitValue: # Integer: Exit value if there are warnings, default 2
</pre>

</BODY>
</HTML>
3 changes: 2 additions & 1 deletion ...in/javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/contents/job-requestor.html
View file
Original file line number Diff line number Diff line change
@@ -21,11 +21,12 @@ <H2>YAML</H2>
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of additional headers to include in the request
- "header1:value1"
data: # String: Optional data to send in the request body
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
</pre>

5 changes: 5 additions & 0 deletions .../automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/index.xml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,12 @@
<indexitem text="automation - environment" target="automation.env"/>
<indexitem text="automation - authentication" target="automation.auth"/>
<indexitem text="automation - addOns job" target="automation.addons"/>
<indexitem text="automation - activeScan-config job" target="automation.ascanconfig"/>
<indexitem text="automation - activeScan-policy job" target="automation.ascanpolicy"/>
<indexitem text="automation - activeScan job" target="automation.ascan"/>
<indexitem text="automation - delay job" target="automation.delay"/>
<indexitem text="automation - exitStatus job" target="automation.exitstatus"/>
<indexitem text="automation - requestor job" target="automation.requestor"/>
<indexitem text="automation - about" target="automation.about"/>
<indexitem text="automation - tests" target="automation.tests"/>
<indexitem text="automation - alert test" target="automation.test.alert"/>
5 changes: 5 additions & 0 deletions ...ns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_az_AZ/toc.xml
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,12 @@
<tocitem text="Environment" target="automation.env"/>
<tocitem text="Authentication" target="automation.auth"/>
<tocitem text="Job: addOns" target="automation.addons"/>
<tocitem text="Job: activeScan-config" target="automation.ascanconfig"/>
<tocitem text="Job: activeScan-policy" target="automation.ascanpolicy"/>
<tocitem text="Job: activeScan" target="automation.ascan"/>
<tocitem text="Job: delay" target="automation.delay"/>
<tocitem text="Job: exitstatus" target="automation.exitstatus"/>
<tocitem text="Job: requestor" target="automation.requestor"/>
<tocitem text="Tests" target="automation.tests"/>
<tocitem text="Test: alert" target="automation.tests.alert"/>
<tocitem text="Test: monitor" target="automation.tests.monitor"/>
40 changes: 30 additions & 10 deletions .../main/javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,9 @@
<BODY>
<H1>Automation Framework</H1>
This add-on provides a framework that allows ZAP to be automated in an easy and flexible way.
<p>

<H3><a name="command-line-options">Command Line Options</a></H3>

It provides the following command line options:
<ul>
<li>-autorun &lt;source&gt; Run the automation jobs specified in the file or from the URL.
@@ -17,57 +19,75 @@ <H1>Automation Framework</H1>
<li>-autogenconf &lt;filename&gt; Generate template automation file using the current configuration.
</ul>

If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set as follows:
<H3><a name="exit-codes">Exit Codes</a></H3>
If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set by default as follows:
<ul>
<li>0 - The plan completed successfully with no errors or warnings
<li>1 - The plan reported one or more errors
<li>2 - The plan reported no errors but one or more warnings
</ul>
These values can be overridden by the <a href="job-exitstatus.html">exitStatus</a> job.<br>
Whether the plan completed after encountering errors or warnings will depend on the settings used in the <a href="environment.html">environment</a>.
<p>

<H3><a name="usage">Usage</a></H3>
To use the automation framework:
<ol>
<li>Generate a template automation file using one of the <code>-autogen*</code> command line options
<li>Edit the file to match your requirements
<li>Run the file using the <code>-autorun</code> commandline option e.g. <code>./zap.sh -cmd -autorun config.yaml</code>
</ol>

<strong>Note:</strong> The Jobs are executed in the order in which they appear (top to bottom) within the Plan.
<p>
In most cases it is recommended to also use the <code>-cmd</code> command line option so that the ZAP desktop is not displayed
and ZAP exits as soon as it has finished generating or running the jobs defined in the file.
However you can choose to run Automation Framework jobs using the ZAP desktop to help you debug issues.

<H2>Authentication</H2>
<H2><a name="authentication">Authentication</a></H2>
The Automation Framework supports all of the <a href="authentication.html">authentication</a> mechanisms supported by ZAP.

<H2>GUI</H2>
<H2><a name="gui">GUI</a></H2>
A <a href="gui.html">GUI</a> is under development and provides an ever increasing set of features.

<H2>Options</H2>
<H2><a name="options">Options</a></H2>
The <a href="options.html">Automation Options</a> screen allows you to configure specific options.

<H2>API</H2>
<H2><a name="api">API</a></H2>
The following API endpoints are provided by this add-on:
<ul>
<li>Action: runPlan(filePath) - loads and asynchronously runs the plan in the specified file, returning a planId</li>
<li>View: planProgress(planId) - returns the progress details for the specified planId</li>
</ul>
If the ZAP desktop is being used then the plan will also be shown in the GUI to make it easier to diagnose any problems.

<H2>Environment</H2>
<H2><a name="environment">Environment</a></H2>
The <a href="environment.html">environment</a> section of the file defines the applications which the rest of the jobs can act on.

<H2>File Paths</H2>
<H2><a name="file-paths">File Paths</a></H2>
All file and directory paths can either be absolute or relative to the directory containing the plan.
Relative paths are recommended for portability.

<H2>Jobs</H2>
<H2><a name="jobs">Jobs</a></H2>
The jobs can be enabled/disabled through the GUI and the automation plan, with the <code>enabled</code> flag. Jobs are enabled by default.
<p>
The following automation jobs are supported by this add-on:
<ul>
<li><a href="job-ascanconfig.html">activeScan-config</a> - configures the active scanner</li>
<li><a href="job-ascanpolicy.html">activeScan-policy</a> - creates an active policy</li>
<li><a href="job-addons.html">addOns</a> - add-on management, now deprecated</li>
<li><a href="job-delay.html">delay</a> - pauses the plan for a specified period of time or a specific condition is met</li>
<li><a href="job-requestor.html">requestor</a> - crafts specific requests to send to the corresponding targets</li>
<li><a href="job-ascan.html">activeScan</a> - runs the active scanner</li>
<li><a href="job-exitstatus.html">exitStatus</a> - sets ZAP's exit code based on scan results</li>
</ul>

<H3>Importance of Job Order</H3>
The order of jobs is relevant and important. For example:
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
<p>
8 changes: 7 additions & 1 deletion ...c/main/javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/contents/job-ascan.html
View file
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ <H2>YAML</H2>
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
threadPerHost: # Int: The max number of threads per host, default: 2 * Number of available processor cores
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
@@ -44,6 +44,12 @@ <H2>YAML</H2>
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

<strong>Note</strong>: Unless the <code>defaultThreshold</code> of the <code>policyDefinition</code> is <code>OFF</code> all rules will be enabled to start with.

<p>
The policy can be one defined by a previous <a href="job-ascanpolicy.html">activeScan-policy</a> job, or by a scan policy file
that has been put in <code>policies</code> directory under ZAP's <a href="https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/">HOME directory</a> .

<H2>Job Data</H2>
The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on.
Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.
51 changes: 51 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/contents/job-ascanconfig.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-config Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-config Job</H1>

This job configures the active scanner, for custom active scans (e.g. Sequence).

<H2>YAML</H2>

<pre>
- type: activeScan-config # Configures the settings of the active scanner.
parameters:
maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
inputVectors: # The input vectors used during the active scan.
urlQueryStringAndDataDrivenNodes: # Configures the scanning of query parameters and DDNs.
enabled: # Bool: If query parameters and DDNs scanning should be enabled. Default: true
addParam: # Bool: If a query parameter should be added if none present. Default: false
odata: # Bool: If OData query filters should be scanned. Default: true
postData: # Configures the scanning of request bodies.
enabled: # Bool: If enabled. Default: true
multiPartFormData: # Bool: If multipart form data bodies should be scanned. Default: true
xml: # Bool: If XML bodies should be scanned. Default: true
json: # Configures the scanning of JSON bodies.
enabled: # Bool: If JSON scanning should be enabled. Default: true
scanNullValues: # Bool: If null values should be scanned. Default: false
googleWebToolkit: # Bool: If GWT scanning should be enabled. Default: false
directWebRemoting: # Bool: If DWR scanning should be enabled. Default: false
urlPath: # Bool: If URL path segments should be scanned. Default: false
httpHeaders: # Configures the scanning of HTTP headers.
enabled: # Bool: If HTTP header scanning should be enabled. Default: false
allRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
cookieData: # Configures the scanning of cookies.
enabled: # Bool: If enabled. Default: false
encodeCookieValues: # Bool: If cookie values should be encoded. Default: false
scripts: # Bool: If Input Vector scripts should be used. Default: true
</pre>

</BODY>
</HTML>

32 changes: 32 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/contents/job-ascanpolicy.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-policy Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-policy Job</H1>

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs,
like <a href="job-ascan.html">activeScan</a> job.

<H2>YAML</H2>

<pre>
- type: activeScan-policy # Defines a new active scan policy which can be used by later activeScan related jobs
parameters:
name: # String: Name of the policy, mandatory
policyDefinition: # The policy definition
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

</BODY>
</HTML>

37 changes: 37 additions & 0 deletions ...n/javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/contents/job-exitstatus.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - exitStatus Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - exitStatus Job</H1>

This job sets <a href="automation.html#exit-codes">ZAP's exit code</a> based on scan results.
It also allows you to choose which exit values are used.
It should typically be the last job in a plan.
<p>
If warnLevel or errorLevel are set then the job will report a warning or error if any alerts
are raised which have the same risk level or greater.
<p>
By default when ZAP is run with the <code>-cmd</code> and <code>-autorun</code> options then it will
exit with a 1 if there are any errors, with a 2 if there are any warnings, and if everything is ok
then it will exit with a 0.
These values can be overriden by the <code>*ExitValue</code> options. The <code>*ExitValues</code> can be used together
with the warn/errorLevel or completely independently of them.

<H2>YAML</H2>

<pre>
- type: exitStatus # Sets the exit code based on scan results
parameters:
errorLevel: # String: Informational, Low, Medium, High, default: not set
warnLevel: # String: Informational, Low, Medium, High, default: not set
okExitValue: # Integer: Exit value if all ok, default 0
errorExitValue: # Integer: Exit value if there are errors, default 1
warnExitValue: # Integer: Exit value if there are warnings, default 2
</pre>

</BODY>
</HTML>
3 changes: 2 additions & 1 deletion ...in/javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/contents/job-requestor.html
View file
Original file line number Diff line number Diff line change
@@ -21,11 +21,12 @@ <H2>YAML</H2>
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of additional headers to include in the request
- "header1:value1"
data: # String: Optional data to send in the request body
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
</pre>

5 changes: 5 additions & 0 deletions .../automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/index.xml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,12 @@
<indexitem text="automation - environment" target="automation.env"/>
<indexitem text="automation - authentication" target="automation.auth"/>
<indexitem text="automation - addOns job" target="automation.addons"/>
<indexitem text="automation - activeScan-config job" target="automation.ascanconfig"/>
<indexitem text="automation - activeScan-policy job" target="automation.ascanpolicy"/>
<indexitem text="automation - activeScan job" target="automation.ascan"/>
<indexitem text="automation - delay job" target="automation.delay"/>
<indexitem text="automation - exitStatus job" target="automation.exitstatus"/>
<indexitem text="automation - requestor job" target="automation.requestor"/>
<indexitem text="automation - about" target="automation.about"/>
<indexitem text="automation - tests" target="automation.tests"/>
<indexitem text="automation - alert test" target="automation.test.alert"/>
5 changes: 5 additions & 0 deletions ...ns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_bs_BA/toc.xml
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,12 @@
<tocitem text="Environment" target="automation.env"/>
<tocitem text="Authentication" target="automation.auth"/>
<tocitem text="Job: addOns" target="automation.addons"/>
<tocitem text="Job: activeScan-config" target="automation.ascanconfig"/>
<tocitem text="Job: activeScan-policy" target="automation.ascanpolicy"/>
<tocitem text="Job: activeScan" target="automation.ascan"/>
<tocitem text="Job: delay" target="automation.delay"/>
<tocitem text="Job: exitstatus" target="automation.exitstatus"/>
<tocitem text="Job: requestor" target="automation.requestor"/>
<tocitem text="Tests" target="automation.tests"/>
<tocitem text="Test: alert" target="automation.tests.alert"/>
<tocitem text="Test: monitor" target="automation.tests.monitor"/>
40 changes: 30 additions & 10 deletions .../main/javahelp/org/zaproxy/addon/automation/resources/help_da_DK/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,9 @@
<BODY>
<H1>Automation Framework</H1>
This add-on provides a framework that allows ZAP to be automated in an easy and flexible way.
<p>

<H3><a name="command-line-options">Command Line Options</a></H3>

It provides the following command line options:
<ul>
<li>-autorun &lt;source&gt; Run the automation jobs specified in the file or from the URL.
@@ -17,57 +19,75 @@ <H1>Automation Framework</H1>
<li>-autogenconf &lt;filename&gt; Generate template automation file using the current configuration.
</ul>

If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set as follows:
<H3><a name="exit-codes">Exit Codes</a></H3>
If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set by default as follows:
<ul>
<li>0 - The plan completed successfully with no errors or warnings
<li>1 - The plan reported one or more errors
<li>2 - The plan reported no errors but one or more warnings
</ul>
These values can be overridden by the <a href="job-exitstatus.html">exitStatus</a> job.<br>
Whether the plan completed after encountering errors or warnings will depend on the settings used in the <a href="environment.html">environment</a>.
<p>

<H3><a name="usage">Usage</a></H3>
To use the automation framework:
<ol>
<li>Generate a template automation file using one of the <code>-autogen*</code> command line options
<li>Edit the file to match your requirements
<li>Run the file using the <code>-autorun</code> commandline option e.g. <code>./zap.sh -cmd -autorun config.yaml</code>
</ol>

<strong>Note:</strong> The Jobs are executed in the order in which they appear (top to bottom) within the Plan.
<p>
In most cases it is recommended to also use the <code>-cmd</code> command line option so that the ZAP desktop is not displayed
and ZAP exits as soon as it has finished generating or running the jobs defined in the file.
However you can choose to run Automation Framework jobs using the ZAP desktop to help you debug issues.

<H2>Authentication</H2>
<H2><a name="authentication">Authentication</a></H2>
The Automation Framework supports all of the <a href="authentication.html">authentication</a> mechanisms supported by ZAP.

<H2>GUI</H2>
<H2><a name="gui">GUI</a></H2>
A <a href="gui.html">GUI</a> is under development and provides an ever increasing set of features.

<H2>Options</H2>
<H2><a name="options">Options</a></H2>
The <a href="options.html">Automation Options</a> screen allows you to configure specific options.

<H2>API</H2>
<H2><a name="api">API</a></H2>
The following API endpoints are provided by this add-on:
<ul>
<li>Action: runPlan(filePath) - loads and asynchronously runs the plan in the specified file, returning a planId</li>
<li>View: planProgress(planId) - returns the progress details for the specified planId</li>
</ul>
If the ZAP desktop is being used then the plan will also be shown in the GUI to make it easier to diagnose any problems.

<H2>Environment</H2>
<H2><a name="environment">Environment</a></H2>
The <a href="environment.html">environment</a> section of the file defines the applications which the rest of the jobs can act on.

<H2>File Paths</H2>
<H2><a name="file-paths">File Paths</a></H2>
All file and directory paths can either be absolute or relative to the directory containing the plan.
Relative paths are recommended for portability.

<H2>Jobs</H2>
<H2><a name="jobs">Jobs</a></H2>
The jobs can be enabled/disabled through the GUI and the automation plan, with the <code>enabled</code> flag. Jobs are enabled by default.
<p>
The following automation jobs are supported by this add-on:
<ul>
<li><a href="job-ascanconfig.html">activeScan-config</a> - configures the active scanner</li>
<li><a href="job-ascanpolicy.html">activeScan-policy</a> - creates an active policy</li>
<li><a href="job-addons.html">addOns</a> - add-on management, now deprecated</li>
<li><a href="job-delay.html">delay</a> - pauses the plan for a specified period of time or a specific condition is met</li>
<li><a href="job-requestor.html">requestor</a> - crafts specific requests to send to the corresponding targets</li>
<li><a href="job-ascan.html">activeScan</a> - runs the active scanner</li>
<li><a href="job-exitstatus.html">exitStatus</a> - sets ZAP's exit code based on scan results</li>
</ul>

<H3>Importance of Job Order</H3>
The order of jobs is relevant and important. For example:
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
<p>
8 changes: 7 additions & 1 deletion ...c/main/javahelp/org/zaproxy/addon/automation/resources/help_da_DK/contents/job-ascan.html
View file
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ <H2>YAML</H2>
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
threadPerHost: # Int: The max number of threads per host, default: 2 * Number of available processor cores
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
@@ -44,6 +44,12 @@ <H2>YAML</H2>
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

<strong>Note</strong>: Unless the <code>defaultThreshold</code> of the <code>policyDefinition</code> is <code>OFF</code> all rules will be enabled to start with.

<p>
The policy can be one defined by a previous <a href="job-ascanpolicy.html">activeScan-policy</a> job, or by a scan policy file
that has been put in <code>policies</code> directory under ZAP's <a href="https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/">HOME directory</a> .

<H2>Job Data</H2>
The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on.
Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.
51 changes: 51 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_da_DK/contents/job-ascanconfig.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-config Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-config Job</H1>

This job configures the active scanner, for custom active scans (e.g. Sequence).

<H2>YAML</H2>

<pre>
- type: activeScan-config # Configures the settings of the active scanner.
parameters:
maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
inputVectors: # The input vectors used during the active scan.
urlQueryStringAndDataDrivenNodes: # Configures the scanning of query parameters and DDNs.
enabled: # Bool: If query parameters and DDNs scanning should be enabled. Default: true
addParam: # Bool: If a query parameter should be added if none present. Default: false
odata: # Bool: If OData query filters should be scanned. Default: true
postData: # Configures the scanning of request bodies.
enabled: # Bool: If enabled. Default: true
multiPartFormData: # Bool: If multipart form data bodies should be scanned. Default: true
xml: # Bool: If XML bodies should be scanned. Default: true
json: # Configures the scanning of JSON bodies.
enabled: # Bool: If JSON scanning should be enabled. Default: true
scanNullValues: # Bool: If null values should be scanned. Default: false
googleWebToolkit: # Bool: If GWT scanning should be enabled. Default: false
directWebRemoting: # Bool: If DWR scanning should be enabled. Default: false
urlPath: # Bool: If URL path segments should be scanned. Default: false
httpHeaders: # Configures the scanning of HTTP headers.
enabled: # Bool: If HTTP header scanning should be enabled. Default: false
allRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
cookieData: # Configures the scanning of cookies.
enabled: # Bool: If enabled. Default: false
encodeCookieValues: # Bool: If cookie values should be encoded. Default: false
scripts: # Bool: If Input Vector scripts should be used. Default: true
</pre>

</BODY>
</HTML>

32 changes: 32 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_da_DK/contents/job-ascanpolicy.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-policy Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-policy Job</H1>

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs,
like <a href="job-ascan.html">activeScan</a> job.

<H2>YAML</H2>

<pre>
- type: activeScan-policy # Defines a new active scan policy which can be used by later activeScan related jobs
parameters:
name: # String: Name of the policy, mandatory
policyDefinition: # The policy definition
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

</BODY>
</HTML>

37 changes: 37 additions & 0 deletions ...n/javahelp/org/zaproxy/addon/automation/resources/help_da_DK/contents/job-exitstatus.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - exitStatus Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - exitStatus Job</H1>

This job sets <a href="automation.html#exit-codes">ZAP's exit code</a> based on scan results.
It also allows you to choose which exit values are used.
It should typically be the last job in a plan.
<p>
If warnLevel or errorLevel are set then the job will report a warning or error if any alerts
are raised which have the same risk level or greater.
<p>
By default when ZAP is run with the <code>-cmd</code> and <code>-autorun</code> options then it will
exit with a 1 if there are any errors, with a 2 if there are any warnings, and if everything is ok
then it will exit with a 0.
These values can be overriden by the <code>*ExitValue</code> options. The <code>*ExitValues</code> can be used together
with the warn/errorLevel or completely independently of them.

<H2>YAML</H2>

<pre>
- type: exitStatus # Sets the exit code based on scan results
parameters:
errorLevel: # String: Informational, Low, Medium, High, default: not set
warnLevel: # String: Informational, Low, Medium, High, default: not set
okExitValue: # Integer: Exit value if all ok, default 0
errorExitValue: # Integer: Exit value if there are errors, default 1
warnExitValue: # Integer: Exit value if there are warnings, default 2
</pre>

</BODY>
</HTML>
3 changes: 2 additions & 1 deletion ...in/javahelp/org/zaproxy/addon/automation/resources/help_da_DK/contents/job-requestor.html
View file
Original file line number Diff line number Diff line change
@@ -21,11 +21,12 @@ <H2>YAML</H2>
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of additional headers to include in the request
- "header1:value1"
data: # String: Optional data to send in the request body
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
</pre>

5 changes: 5 additions & 0 deletions .../automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_da_DK/index.xml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,12 @@
<indexitem text="automation - environment" target="automation.env"/>
<indexitem text="automation - authentication" target="automation.auth"/>
<indexitem text="automation - addOns job" target="automation.addons"/>
<indexitem text="automation - activeScan-config job" target="automation.ascanconfig"/>
<indexitem text="automation - activeScan-policy job" target="automation.ascanpolicy"/>
<indexitem text="automation - activeScan job" target="automation.ascan"/>
<indexitem text="automation - delay job" target="automation.delay"/>
<indexitem text="automation - exitStatus job" target="automation.exitstatus"/>
<indexitem text="automation - requestor job" target="automation.requestor"/>
<indexitem text="automation - about" target="automation.about"/>
<indexitem text="automation - tests" target="automation.tests"/>
<indexitem text="automation - alert test" target="automation.test.alert"/>
5 changes: 5 additions & 0 deletions ...ns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_da_DK/toc.xml
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,12 @@
<tocitem text="Environment" target="automation.env"/>
<tocitem text="Authentication" target="automation.auth"/>
<tocitem text="Job: addOns" target="automation.addons"/>
<tocitem text="Job: activeScan-config" target="automation.ascanconfig"/>
<tocitem text="Job: activeScan-policy" target="automation.ascanpolicy"/>
<tocitem text="Job: activeScan" target="automation.ascan"/>
<tocitem text="Job: delay" target="automation.delay"/>
<tocitem text="Job: exitstatus" target="automation.exitstatus"/>
<tocitem text="Job: requestor" target="automation.requestor"/>
<tocitem text="Tests" target="automation.tests"/>
<tocitem text="Test: alert" target="automation.tests.alert"/>
<tocitem text="Test: monitor" target="automation.tests.monitor"/>
40 changes: 30 additions & 10 deletions .../main/javahelp/org/zaproxy/addon/automation/resources/help_de_DE/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,9 @@
<BODY>
<H1>Automatisierungsframework</H1>
Diese Erweiterung liefert ein Framework, welches es erlaubt ZAP einfach und flexibel zu automatisieren.
<p>

<H3><a name="command-line-options">Command Line Options</a></H3>

Es enthält die folgenden Kommandozeilenoptionen:
<ul>
<li>-autorun &lt;source&gt; Run the automation jobs specified in the file or from the URL.
@@ -17,57 +19,75 @@ <H1>Automatisierungsframework</H1>
<li>-autogenconf &lt;filename&gt; Generate template automation file using the current configuration.
</ul>

Wenn die <code>-autorun</code>-Option mit der ZAP <code>-cmd</code>-Option verwendet wird, setzt ZAP den Exit Code wie folgt:
<H3><a name="exit-codes">Exit Codes</a></H3>
If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set by default as follows:
<ul>
<li>0 - Der Plan konnte erfolgreich und ohne Fehler abgeschlossen werden
<li>1 - Der Plan hatte einen oder mehrere Fehler
<li>2 - Der Plan hatte keine Fehler aber eine oder mehrere Warnungen
</ul>
These values can be overridden by the <a href="job-exitstatus.html">exitStatus</a> job.<br>
Whether the plan completed after encountering errors or warnings will depend on the settings used in the <a href="environment.html">environment</a>.
<p>

<H3><a name="usage">Usage</a></H3>
To use the automation framework:
<ol>
<li>Generate a template automation file using one of the <code>-autogen*</code> command line options
<li>Edit the file to match your requirements
<li>Run the file using the <code>-autorun</code> commandline option e.g. <code>./zap.sh -cmd -autorun config.yaml</code>
</ol>

<strong>Note:</strong> The Jobs are executed in the order in which they appear (top to bottom) within the Plan.
<p>
In most cases it is recommended to also use the <code>-cmd</code> command line option so that the ZAP desktop is not displayed
and ZAP exits as soon as it has finished generating or running the jobs defined in the file.
However you can choose to run Automation Framework jobs using the ZAP desktop to help you debug issues.

<H2>Authentication</H2>
<H2><a name="authentication">Authentication</a></H2>
The Automation Framework supports all of the <a href="authentication.html">authentication</a> mechanisms supported by ZAP.

<H2>GUI</H2>
<H2><a name="gui">GUI</a></H2>
A <a href="gui.html">GUI</a> is under development and provides an ever increasing set of features.

<H2>Options</H2>
<H2><a name="options">Options</a></H2>
The <a href="options.html">Automation Options</a> screen allows you to configure specific options.

<H2>API</H2>
<H2><a name="api">API</a></H2>
The following API endpoints are provided by this add-on:
<ul>
<li>Action: runPlan(filePath) - loads and asynchronously runs the plan in the specified file, returning a planId</li>
<li>View: planProgress(planId) - returns the progress details for the specified planId</li>
</ul>
If the ZAP desktop is being used then the plan will also be shown in the GUI to make it easier to diagnose any problems.

<H2>Environment</H2>
<H2><a name="environment">Environment</a></H2>
The <a href="environment.html">environment</a> section of the file defines the applications which the rest of the jobs can act on.

<H2>File Paths</H2>
<H2><a name="file-paths">File Paths</a></H2>
All file and directory paths can either be absolute or relative to the directory containing the plan.
Relative paths are recommended for portability.

<H2>Jobs</H2>
<H2><a name="jobs">Jobs</a></H2>
The jobs can be enabled/disabled through the GUI and the automation plan, with the <code>enabled</code> flag. Jobs are enabled by default.
<p>
The following automation jobs are supported by this add-on:
<ul>
<li><a href="job-ascanconfig.html">activeScan-config</a> - configures the active scanner</li>
<li><a href="job-ascanpolicy.html">activeScan-policy</a> - creates an active policy</li>
<li><a href="job-addons.html">addOns</a> - add-on management, now deprecated</li>
<li><a href="job-delay.html">delay</a> - pauses the plan for a specified period of time or a specific condition is met</li>
<li><a href="job-requestor.html">requestor</a> - crafts specific requests to send to the corresponding targets</li>
<li><a href="job-ascan.html">activeScan</a> - runs the active scanner</li>
<li><a href="job-exitstatus.html">exitStatus</a> - sets ZAP's exit code based on scan results</li>
</ul>

<H3>Importance of Job Order</H3>
The order of jobs is relevant and important. For example:
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
<p>
8 changes: 7 additions & 1 deletion ...c/main/javahelp/org/zaproxy/addon/automation/resources/help_de_DE/contents/job-ascan.html
View file
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ <H2>YAML</H2>
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
threadPerHost: # Int: The max number of threads per host, default: 2 * Number of available processor cores
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
@@ -44,6 +44,12 @@ <H2>YAML</H2>
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

<strong>Note</strong>: Unless the <code>defaultThreshold</code> of the <code>policyDefinition</code> is <code>OFF</code> all rules will be enabled to start with.

<p>
The policy can be one defined by a previous <a href="job-ascanpolicy.html">activeScan-policy</a> job, or by a scan policy file
that has been put in <code>policies</code> directory under ZAP's <a href="https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/">HOME directory</a> .

<H2>Job Data</H2>
The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on.
Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.
51 changes: 51 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_de_DE/contents/job-ascanconfig.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-config Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-config Job</H1>

This job configures the active scanner, for custom active scans (e.g. Sequence).

<H2>YAML</H2>

<pre>
- type: activeScan-config # Configures the settings of the active scanner.
parameters:
maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
inputVectors: # The input vectors used during the active scan.
urlQueryStringAndDataDrivenNodes: # Configures the scanning of query parameters and DDNs.
enabled: # Bool: If query parameters and DDNs scanning should be enabled. Default: true
addParam: # Bool: If a query parameter should be added if none present. Default: false
odata: # Bool: If OData query filters should be scanned. Default: true
postData: # Configures the scanning of request bodies.
enabled: # Bool: If enabled. Default: true
multiPartFormData: # Bool: If multipart form data bodies should be scanned. Default: true
xml: # Bool: If XML bodies should be scanned. Default: true
json: # Configures the scanning of JSON bodies.
enabled: # Bool: If JSON scanning should be enabled. Default: true
scanNullValues: # Bool: If null values should be scanned. Default: false
googleWebToolkit: # Bool: If GWT scanning should be enabled. Default: false
directWebRemoting: # Bool: If DWR scanning should be enabled. Default: false
urlPath: # Bool: If URL path segments should be scanned. Default: false
httpHeaders: # Configures the scanning of HTTP headers.
enabled: # Bool: If HTTP header scanning should be enabled. Default: false
allRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
cookieData: # Configures the scanning of cookies.
enabled: # Bool: If enabled. Default: false
encodeCookieValues: # Bool: If cookie values should be encoded. Default: false
scripts: # Bool: If Input Vector scripts should be used. Default: true
</pre>

</BODY>
</HTML>

32 changes: 32 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_de_DE/contents/job-ascanpolicy.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-policy Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-policy Job</H1>

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs,
like <a href="job-ascan.html">activeScan</a> job.

<H2>YAML</H2>

<pre>
- type: activeScan-policy # Defines a new active scan policy which can be used by later activeScan related jobs
parameters:
name: # String: Name of the policy, mandatory
policyDefinition: # The policy definition
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

</BODY>
</HTML>

37 changes: 37 additions & 0 deletions ...n/javahelp/org/zaproxy/addon/automation/resources/help_de_DE/contents/job-exitstatus.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - exitStatus Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - exitStatus Job</H1>

This job sets <a href="automation.html#exit-codes">ZAP's exit code</a> based on scan results.
It also allows you to choose which exit values are used.
It should typically be the last job in a plan.
<p>
If warnLevel or errorLevel are set then the job will report a warning or error if any alerts
are raised which have the same risk level or greater.
<p>
By default when ZAP is run with the <code>-cmd</code> and <code>-autorun</code> options then it will
exit with a 1 if there are any errors, with a 2 if there are any warnings, and if everything is ok
then it will exit with a 0.
These values can be overriden by the <code>*ExitValue</code> options. The <code>*ExitValues</code> can be used together
with the warn/errorLevel or completely independently of them.

<H2>YAML</H2>

<pre>
- type: exitStatus # Sets the exit code based on scan results
parameters:
errorLevel: # String: Informational, Low, Medium, High, default: not set
warnLevel: # String: Informational, Low, Medium, High, default: not set
okExitValue: # Integer: Exit value if all ok, default 0
errorExitValue: # Integer: Exit value if there are errors, default 1
warnExitValue: # Integer: Exit value if there are warnings, default 2
</pre>

</BODY>
</HTML>
3 changes: 2 additions & 1 deletion ...in/javahelp/org/zaproxy/addon/automation/resources/help_de_DE/contents/job-requestor.html
View file
Original file line number Diff line number Diff line change
@@ -21,11 +21,12 @@ <H2>YAML</H2>
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of additional headers to include in the request
- "header1:value1"
data: # String: Optional data to send in the request body
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
</pre>

5 changes: 5 additions & 0 deletions .../automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_de_DE/index.xml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,12 @@
<indexitem text="automation - environment" target="automation.env"/>
<indexitem text="automation - authentication" target="automation.auth"/>
<indexitem text="automation - addOns job" target="automation.addons"/>
<indexitem text="automation - activeScan-config job" target="automation.ascanconfig"/>
<indexitem text="automation - activeScan-policy job" target="automation.ascanpolicy"/>
<indexitem text="automation - activeScan job" target="automation.ascan"/>
<indexitem text="automation - delay job" target="automation.delay"/>
<indexitem text="automation - exitStatus job" target="automation.exitstatus"/>
<indexitem text="automation - requestor job" target="automation.requestor"/>
<indexitem text="automation - about" target="automation.about"/>
<indexitem text="automation - tests" target="automation.tests"/>
<indexitem text="automation - alert test" target="automation.test.alert"/>
5 changes: 5 additions & 0 deletions ...ns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_de_DE/toc.xml
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,12 @@
<tocitem text="Environment" target="automation.env"/>
<tocitem text="Authentication" target="automation.auth"/>
<tocitem text="Job: addOns" target="automation.addons"/>
<tocitem text="Job: activeScan-config" target="automation.ascanconfig"/>
<tocitem text="Job: activeScan-policy" target="automation.ascanpolicy"/>
<tocitem text="Job: activeScan" target="automation.ascan"/>
<tocitem text="Job: delay" target="automation.delay"/>
<tocitem text="Job: exitstatus" target="automation.exitstatus"/>
<tocitem text="Job: requestor" target="automation.requestor"/>
<tocitem text="Tests" target="automation.tests"/>
<tocitem text="Test: alert" target="automation.tests.alert"/>
<tocitem text="Test: monitor" target="automation.tests.monitor"/>
40 changes: 30 additions & 10 deletions .../main/javahelp/org/zaproxy/addon/automation/resources/help_el_GR/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,9 @@
<BODY>
<H1>Automation Framework</H1>
This add-on provides a framework that allows ZAP to be automated in an easy and flexible way.
<p>

<H3><a name="command-line-options">Command Line Options</a></H3>

It provides the following command line options:
<ul>
<li>-autorun &lt;source&gt; Run the automation jobs specified in the file or from the URL.
@@ -17,57 +19,75 @@ <H1>Automation Framework</H1>
<li>-autogenconf &lt;filename&gt; Generate template automation file using the current configuration.
</ul>

If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set as follows:
<H3><a name="exit-codes">Exit Codes</a></H3>
If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set by default as follows:
<ul>
<li>0 - The plan completed successfully with no errors or warnings
<li>1 - The plan reported one or more errors
<li>2 - The plan reported no errors but one or more warnings
</ul>
These values can be overridden by the <a href="job-exitstatus.html">exitStatus</a> job.<br>
Whether the plan completed after encountering errors or warnings will depend on the settings used in the <a href="environment.html">environment</a>.
<p>

<H3><a name="usage">Usage</a></H3>
To use the automation framework:
<ol>
<li>Generate a template automation file using one of the <code>-autogen*</code> command line options
<li>Edit the file to match your requirements
<li>Run the file using the <code>-autorun</code> commandline option e.g. <code>./zap.sh -cmd -autorun config.yaml</code>
</ol>

<strong>Note:</strong> The Jobs are executed in the order in which they appear (top to bottom) within the Plan.
<p>
In most cases it is recommended to also use the <code>-cmd</code> command line option so that the ZAP desktop is not displayed
and ZAP exits as soon as it has finished generating or running the jobs defined in the file.
However you can choose to run Automation Framework jobs using the ZAP desktop to help you debug issues.

<H2>Authentication</H2>
<H2><a name="authentication">Authentication</a></H2>
The Automation Framework supports all of the <a href="authentication.html">authentication</a> mechanisms supported by ZAP.

<H2>GUI</H2>
<H2><a name="gui">GUI</a></H2>
A <a href="gui.html">GUI</a> is under development and provides an ever increasing set of features.

<H2>Options</H2>
<H2><a name="options">Options</a></H2>
The <a href="options.html">Automation Options</a> screen allows you to configure specific options.

<H2>API</H2>
<H2><a name="api">API</a></H2>
The following API endpoints are provided by this add-on:
<ul>
<li>Action: runPlan(filePath) - loads and asynchronously runs the plan in the specified file, returning a planId</li>
<li>View: planProgress(planId) - returns the progress details for the specified planId</li>
</ul>
If the ZAP desktop is being used then the plan will also be shown in the GUI to make it easier to diagnose any problems.

<H2>Environment</H2>
<H2><a name="environment">Environment</a></H2>
The <a href="environment.html">environment</a> section of the file defines the applications which the rest of the jobs can act on.

<H2>File Paths</H2>
<H2><a name="file-paths">File Paths</a></H2>
All file and directory paths can either be absolute or relative to the directory containing the plan.
Relative paths are recommended for portability.

<H2>Jobs</H2>
<H2><a name="jobs">Jobs</a></H2>
The jobs can be enabled/disabled through the GUI and the automation plan, with the <code>enabled</code> flag. Jobs are enabled by default.
<p>
The following automation jobs are supported by this add-on:
<ul>
<li><a href="job-ascanconfig.html">activeScan-config</a> - configures the active scanner</li>
<li><a href="job-ascanpolicy.html">activeScan-policy</a> - creates an active policy</li>
<li><a href="job-addons.html">addOns</a> - add-on management, now deprecated</li>
<li><a href="job-delay.html">delay</a> - pauses the plan for a specified period of time or a specific condition is met</li>
<li><a href="job-requestor.html">requestor</a> - crafts specific requests to send to the corresponding targets</li>
<li><a href="job-ascan.html">activeScan</a> - runs the active scanner</li>
<li><a href="job-exitstatus.html">exitStatus</a> - sets ZAP's exit code based on scan results</li>
</ul>

<H3>Importance of Job Order</H3>
The order of jobs is relevant and important. For example:
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
<p>
8 changes: 7 additions & 1 deletion ...c/main/javahelp/org/zaproxy/addon/automation/resources/help_el_GR/contents/job-ascan.html
View file
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ <H2>YAML</H2>
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
threadPerHost: # Int: The max number of threads per host, default: 2 * Number of available processor cores
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
@@ -44,6 +44,12 @@ <H2>YAML</H2>
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

<strong>Note</strong>: Unless the <code>defaultThreshold</code> of the <code>policyDefinition</code> is <code>OFF</code> all rules will be enabled to start with.

<p>
The policy can be one defined by a previous <a href="job-ascanpolicy.html">activeScan-policy</a> job, or by a scan policy file
that has been put in <code>policies</code> directory under ZAP's <a href="https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/">HOME directory</a> .

<H2>Job Data</H2>
The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on.
Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.
51 changes: 51 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_el_GR/contents/job-ascanconfig.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-config Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-config Job</H1>

This job configures the active scanner, for custom active scans (e.g. Sequence).

<H2>YAML</H2>

<pre>
- type: activeScan-config # Configures the settings of the active scanner.
parameters:
maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
maxAlertsPerRule: # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy
handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false
injectPluginIdInHeader: # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
threadPerHost: # Int: The max number of threads per host, default: 2
inputVectors: # The input vectors used during the active scan.
urlQueryStringAndDataDrivenNodes: # Configures the scanning of query parameters and DDNs.
enabled: # Bool: If query parameters and DDNs scanning should be enabled. Default: true
addParam: # Bool: If a query parameter should be added if none present. Default: false
odata: # Bool: If OData query filters should be scanned. Default: true
postData: # Configures the scanning of request bodies.
enabled: # Bool: If enabled. Default: true
multiPartFormData: # Bool: If multipart form data bodies should be scanned. Default: true
xml: # Bool: If XML bodies should be scanned. Default: true
json: # Configures the scanning of JSON bodies.
enabled: # Bool: If JSON scanning should be enabled. Default: true
scanNullValues: # Bool: If null values should be scanned. Default: false
googleWebToolkit: # Bool: If GWT scanning should be enabled. Default: false
directWebRemoting: # Bool: If DWR scanning should be enabled. Default: false
urlPath: # Bool: If URL path segments should be scanned. Default: false
httpHeaders: # Configures the scanning of HTTP headers.
enabled: # Bool: If HTTP header scanning should be enabled. Default: false
allRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
cookieData: # Configures the scanning of cookies.
enabled: # Bool: If enabled. Default: false
encodeCookieValues: # Bool: If cookie values should be encoded. Default: false
scripts: # Bool: If Input Vector scripts should be used. Default: true
</pre>

</BODY>
</HTML>

32 changes: 32 additions & 0 deletions .../javahelp/org/zaproxy/addon/automation/resources/help_el_GR/contents/job-ascanpolicy.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - activeScan-policy Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - activeScan-policy Job</H1>

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs,
like <a href="job-ascan.html">activeScan</a> job.

<H2>YAML</H2>

<pre>
- type: activeScan-policy # Defines a new active scan policy which can be used by later activeScan related jobs
parameters:
name: # String: Name of the policy, mandatory
policyDefinition: # The policy definition
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
</pre>

</BODY>
</HTML>

37 changes: 37 additions & 0 deletions ...n/javahelp/org/zaproxy/addon/automation/resources/help_el_GR/contents/job-exitstatus.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>
Automation Framework - exitStatus Job
</TITLE>
</HEAD>
<BODY>
<H1>Automation Framework - exitStatus Job</H1>

This job sets <a href="automation.html#exit-codes">ZAP's exit code</a> based on scan results.
It also allows you to choose which exit values are used.
It should typically be the last job in a plan.
<p>
If warnLevel or errorLevel are set then the job will report a warning or error if any alerts
are raised which have the same risk level or greater.
<p>
By default when ZAP is run with the <code>-cmd</code> and <code>-autorun</code> options then it will
exit with a 1 if there are any errors, with a 2 if there are any warnings, and if everything is ok
then it will exit with a 0.
These values can be overriden by the <code>*ExitValue</code> options. The <code>*ExitValues</code> can be used together
with the warn/errorLevel or completely independently of them.

<H2>YAML</H2>

<pre>
- type: exitStatus # Sets the exit code based on scan results
parameters:
errorLevel: # String: Informational, Low, Medium, High, default: not set
warnLevel: # String: Informational, Low, Medium, High, default: not set
okExitValue: # Integer: Exit value if all ok, default 0
errorExitValue: # Integer: Exit value if there are errors, default 1
warnExitValue: # Integer: Exit value if there are warnings, default 2
</pre>

</BODY>
</HTML>
3 changes: 2 additions & 1 deletion ...in/javahelp/org/zaproxy/addon/automation/resources/help_el_GR/contents/job-requestor.html
View file
Original file line number Diff line number Diff line change
@@ -21,11 +21,12 @@ <H2>YAML</H2>
user: # String: An optional user to use for authenticated requests, must be defined in the env
requests: # A list of requests to make
- url: # String: A mandatory URL of the request to be made
name: # String: Optional name for the request, for documentation only
method: # String: A non-empty request method, default: GET
httpVersion: # String: The HTTP version to send the request with, default: HTTP/1.1
headers: # An optional list of additional headers to include in the request
- "header1:value1"
data: # String: Optional data to send in the request body
data: # String: Optional data to send in the request body, supports vars
responseCode: # Int: An optional, expected response code against which the actual response code will be matched
</pre>

5 changes: 5 additions & 0 deletions .../automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_el_GR/index.xml
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,12 @@
<indexitem text="automation - environment" target="automation.env"/>
<indexitem text="automation - authentication" target="automation.auth"/>
<indexitem text="automation - addOns job" target="automation.addons"/>
<indexitem text="automation - activeScan-config job" target="automation.ascanconfig"/>
<indexitem text="automation - activeScan-policy job" target="automation.ascanpolicy"/>
<indexitem text="automation - activeScan job" target="automation.ascan"/>
<indexitem text="automation - delay job" target="automation.delay"/>
<indexitem text="automation - exitStatus job" target="automation.exitstatus"/>
<indexitem text="automation - requestor job" target="automation.requestor"/>
<indexitem text="automation - about" target="automation.about"/>
<indexitem text="automation - tests" target="automation.tests"/>
<indexitem text="automation - alert test" target="automation.test.alert"/>
5 changes: 5 additions & 0 deletions ...ns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help_el_GR/toc.xml
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,12 @@
<tocitem text="Environment" target="automation.env"/>
<tocitem text="Authentication" target="automation.auth"/>
<tocitem text="Job: addOns" target="automation.addons"/>
<tocitem text="Job: activeScan-config" target="automation.ascanconfig"/>
<tocitem text="Job: activeScan-policy" target="automation.ascanpolicy"/>
<tocitem text="Job: activeScan" target="automation.ascan"/>
<tocitem text="Job: delay" target="automation.delay"/>
<tocitem text="Job: exitstatus" target="automation.exitstatus"/>
<tocitem text="Job: requestor" target="automation.requestor"/>
<tocitem text="Tests" target="automation.tests"/>
<tocitem text="Test: alert" target="automation.tests.alert"/>
<tocitem text="Test: monitor" target="automation.tests.monitor"/>
40 changes: 30 additions & 10 deletions .../main/javahelp/org/zaproxy/addon/automation/resources/help_es_ES/contents/automation.html
View file
Original file line number Diff line number Diff line change
@@ -8,7 +8,9 @@
<BODY>
<H1>Automation Framework</H1>
This add-on provides a framework that allows ZAP to be automated in an easy and flexible way.
<p>

<H3><a name="command-line-options">Command Line Options</a></H3>

It provides the following command line options:
<ul>
<li>-autorun &lt;source&gt; Run the automation jobs specified in the file or from the URL.
@@ -17,57 +19,75 @@ <H1>Automation Framework</H1>
<li>-autogenconf &lt;filename&gt; Generate template automation file using the current configuration.
</ul>

If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set as follows:
<H3><a name="exit-codes">Exit Codes</a></H3>
If the <code>-autorun</code> option is used with the ZAP <code>-cmd</code> option then the ZAP exit value will be set by default as follows:
<ul>
<li>0 - The plan completed successfully with no errors or warnings
<li>1 - The plan reported one or more errors
<li>2 - The plan reported no errors but one or more warnings
</ul>
These values can be overridden by the <a href="job-exitstatus.html">exitStatus</a> job.<br>
Whether the plan completed after encountering errors or warnings will depend on the settings used in the <a href="environment.html">environment</a>.
<p>

<H3><a name="usage">Usage</a></H3>
To use the automation framework:
<ol>
<li>Generate a template automation file using one of the <code>-autogen*</code> command line options
<li>Edit the file to match your requirements
<li>Run the file using the <code>-autorun</code> commandline option e.g. <code>./zap.sh -cmd -autorun config.yaml</code>
</ol>

<strong>Note:</strong> The Jobs are executed in the order in which they appear (top to bottom) within the Plan.
<p>
In most cases it is recommended to also use the <code>-cmd</code> command line option so that the ZAP desktop is not displayed
and ZAP exits as soon as it has finished generating or running the jobs defined in the file.
However you can choose to run Automation Framework jobs using the ZAP desktop to help you debug issues.

<H2>Authentication</H2>
<H2><a name="authentication">Authentication</a></H2>
The Automation Framework supports all of the <a href="authentication.html">authentication</a> mechanisms supported by ZAP.

<H2>GUI</H2>
<H2><a name="gui">GUI</a></H2>
A <a href="gui.html">GUI</a> is under development and provides an ever increasing set of features.

<H2>Options</H2>
<H2><a name="options">Options</a></H2>
The <a href="options.html">Automation Options</a> screen allows you to configure specific options.

<H2>API</H2>
<H2><a name="api">API</a></H2>
The following API endpoints are provided by this add-on:
<ul>
<li>Action: runPlan(filePath) - loads and asynchronously runs the plan in the specified file, returning a planId</li>
<li>View: planProgress(planId) - returns the progress details for the specified planId</li>
</ul>
If the ZAP desktop is being used then the plan will also be shown in the GUI to make it easier to diagnose any problems.

<H2>Environment</H2>
<H2><a name="environment">Environment</a></H2>
The <a href="environment.html">environment</a> section of the file defines the applications which the rest of the jobs can act on.

<H2>File Paths</H2>
<H2><a name="file-paths">File Paths</a></H2>
All file and directory paths can either be absolute or relative to the directory containing the plan.
Relative paths are recommended for portability.

<H2>Jobs</H2>
<H2><a name="jobs">Jobs</a></H2>
The jobs can be enabled/disabled through the GUI and the automation plan, with the <code>enabled</code> flag. Jobs are enabled by default.
<p>
The following automation jobs are supported by this add-on:
<ul>
<li><a href="job-ascanconfig.html">activeScan-config</a> - configures the active scanner</li>
<li><a href="job-ascanpolicy.html">activeScan-policy</a> - creates an active policy</li>
<li><a href="job-addons.html">addOns</a> - add-on management, now deprecated</li>
<li><a href="job-delay.html">delay</a> - pauses the plan for a specified period of time or a specific condition is met</li>
<li><a href="job-requestor.html">requestor</a> - crafts specific requests to send to the corresponding targets</li>
<li><a href="job-ascan.html">activeScan</a> - runs the active scanner</li>
<li><a href="job-exitstatus.html">exitStatus</a> - sets ZAP's exit code based on scan results</li>
</ul>

<H3>Importance of Job Order</H3>
The order of jobs is relevant and important. For example:
<ul>
<li>there is no point putting a passiveScan-wait job before any sort of spidering or importing</li>
<li>configuring an alertFilter job after alerts have been generated by passive or active scanning will have no effect on the Alerts that were raised by those components in earlier jobs</li>
</ul>>

<p>
<a href="tests.html">Job tests</a> can be added to jobs to check that the jobs have performed as expected.
<p>
Loading