ZAP Rules for Detecting Vulnerabilities
Jit runs the following ZAP rules during Dynamic Application Security Testing (DAST). Note that the text in the Description Summary has been adapted from ZAP documentation and ChatGPT.
Rule | Passive | Active | Web | API | Alert | Description Summary |
---|---|---|---|---|---|---|
6 | ✓ | ✓ | Path Traversal | Manipulates URLs to access files, directories and commands that potentially reside outside the web document's root directory. | ||
7 | ✓ | ✓ | Remote File Inclusion | Exploits the Dynamic File Include mechanism in web applications by manipulating them to include remote files holding malicious code when taking user input which is then transferred into File Include commands. | ||
41 | ✓ | ✓ | ✓ | Source Code Disclosure - Git | The source code of the current page has been disclosed by the web server. | |
42 | ✓ | ✓ | ✓ | Source Code Disclosure - SVN | The source code of the current page has been disclosed by the web server. | |
43 | ✓ | ✓ | ✓ | Source Code Disclosure - File Inclusion | Unauthorized access to the source code of a web application. Attackers may exploit this vulnerability to identify weaknesses in the code and potentially find other security issues. | |
10003 | ✓ | ✓ | ✓ | Vulnerable JS Library | The identified ExampleLibrary x.y.z library is vulnerable. | |
10020 | ✓ | ✓ | Anti-clickjacking Header | 10020-1, Missing Anti-Clickjacking header. 10020-2 Multiple X-Frame-Options header entries. 10020-3 X-Frame-Options Defined via META. An X-Frame-Options (XFO) META tag was found. 10020-4 X-Frame-Options Setting Malformed. | ||
10028 | ✓ | ✓ | Open Redirect | Examines user-supplied input in query string parameters and POST data to identify open redirects which occur when an application allows user-supplied input. | ||
10033 | ✓ | ✓ | Directory Browsing | A listing of a directory's sensitive contents may be accessed for example to reveal hidden scripts, include files, backup source files. | ||
10035 | ✓ | ✓ | ✓ | Strict-Transport-Security Header | HSTS is a web security policy mechanism where a web server declares that complying user agents are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). | |
10038 | ✓ | ✓ | ✓ | Content Security Policy (CSP) Header Not Set | 10038-1 Content Security Policy (CSP) Header Not Set. 10038-2 Obsolete Content Security Policy (CSP) Header Found. 10038-3 Content Security Policy (CSP) Report-Only Header Found. | |
10041 | ✓ | ✓ | HTTP to HTTPS Insecure Transition in Form Post | Searches for insecure HTTP pages that host HTTPS forms. An insecure HTTP page might be hijacked through MITM whereby the secure HTTPS form is replaced or spoofed. | ||
10042 | ✓ | ✓ | HTTPS to HTTP Insecure Transition in Form Post | Identifies secure HTTPS pages that host insecure HTTP forms. When a secure page transitions to an insecure page, data is uploaded through a form. The user may think they are submitting data to a secure page when in fact they are not. | ||
10045 | ✓ | ✓ | Source Code Disclosure - /WEB-INF folder | Unauthorized access to the content of the /WEB-INF folder, allowing attackers to view sensitive files, including Java classes, configuration files, and potentially other resources. | ||
10048 | ✓ | ✓ | Remote Code Execution - Shell Shock | The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. | ||
10055 | ✓ | ✓ | CSP | CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers may load on a page. 10055-1 CSP: X-Content-Security-Policy 10055-2 CSP: X-WebKit-CSP. 10055-3 CSP: Notices. 10055-4 CSP: Wildcard Directive. 10055-5 CSP: script-src unsafe-inline. 10055-6 CSP: style-src unsafe-inline. 10055-7 CSP: script-src unsafe-hashes. 10055-8 CSP: style-src unsafe-hashes. 10055-9 CSP: Malformed Policy (Non-ASCII). 10055-10 CSP: script-src unsafe-eval. 10055-11 CSP: Meta Policy Invalid. Directive. 10055-12 CSP: Header & Meta. | ||
10108 | ✓ | ✓ | Reverse Tabnabbing | At least one link on this page is vulnerable to Reverse tabnabbing since it uses a target attribute without using both of the noopener and noreferrer keywords in the rel attribute. | ||
10109 | ✓ | ✓ | Modern Web Application | An informal alert indicating that the application appears to be a modern web application. | ||
20017 | ✓ | ✓ | ✓ | Source Code Disclosure - CVE-2012-1823 | A security issue in PHP programming language that allows remote attackers to execute arbitrary code and possibly gain unauthorized access to a server. | |
20019 | ✓ | ✓ | ✓ | External Redirect | URL redirectors are employed by websites to forward an incoming request to an alternate resource. | |
40009 | ✓ | ✓ | ✓ | Server Side Include | Specific parameters may cause Server Side Include commands to be executed. This may allow connecting to a database or arbitrary code to be executed. | |
40012 | ✓ | ✓ | Cross Site Scripting (Reflected) | Cross-site Scripting attacks can be either: Non-persistent or DOM-based attacks, where users access a malicious link or website, often when the vulnerable resource only accepts HTTP POST requests. Persistent attacks, where malicious code is saved on a website for a period. Targets include message board posts, web mail messages, and web chat software. | ||
40018 | ✓ | ✓ | ✓ | SQL Injection | Possible SQL injection. | |
90019 | ✓ | ✓ | Server Side Code Injection | 90019-1 Server side code injection - PHP code injection, possible code injection including custom code to be evaluated by the scripting engine. 90019-2 Server side code injection - ASP code injection, possible code injection including custom code to be evaluated by the scripting engine. | ||
90020 | ✓ | Remote OS Command Injection | Unauthorized execution of operating system commands occurring when an application accepts untrusted input to build insecure operating system commands involving improper data sanitization, and/or improper calling of external programs. | |||
90021 | ✓ | ✓ | XPath Injection | Exploits applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. | ||
90022 | ✓ | ✓ | Application Error Disclosure | Error/warning message that may disclose sensitive information which may be used to launch further attacks against the web application. The alert could be a false positive if the error message is found in a documentation page. | ||
90023 | ✓ | ✓ | ✓ | XML External Entity Attack | Uses XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to the data's URL. | |
90024 | ✓ | ✓ | Generic Padding Oracle | Manipulates the padding on an encrypted string by generating a suspected Padding oracle vulnerability error message. | ||
90025 | ✓ | ✓ | ✓ | Expression Language Injection | The software constructs all or part of an EL statement in a JSP using externally-influenced input from an upstream component. It does not neutralize or incorrectly neutralize special elements that could modify the intended EL statement before it is executed. | |
90034 | ✓ | ✓ | ✓ | Cloud Metadata Potentially Exposed | Attempts to abuse a misconfigured NGINX server to access the instance metadata maintained by cloud service providers like AWS, GCP and Azure. |
Updated 11 months ago