Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/appsec/dast-zap/assets/zap_automation.yaml
+++ b/skills/appsec/dast-zap/assets/zap_automation.yaml
@@ -0,0 +1,196 @@
+# OWASP ZAP Automation Framework Configuration
+# Complete automation workflow for web application security testing
+
+env:
+  contexts:
+    - name: WebApp-Security-Scan
+      urls:
+        - ${TARGET_URL}
+      includePaths:
+        - ${TARGET_URL}.*
+      excludePaths:
+        - .*logout.*
+        - .*signout.*
+        - .*\\.css
+        - .*\\.js
+        - .*\\.png
+        - .*\\.jpg
+        - .*\\.gif
+        - .*\\.svg
+      authentication:
+        method: form
+        parameters:
+          loginUrl: ${LOGIN_URL}
+          loginRequestData: username={%username%}&password={%password%}
+        verification:
+          method: response
+          loggedInRegex: "\\QWelcome\\E"
+          loggedOutRegex: "\\QLogin\\E"
+      sessionManagement:
+        method: cookie
+        parameters:
+          sessionCookieName: JSESSIONID
+      users:
+        - name: test-user
+          credentials:
+            username: ${TEST_USERNAME}
+            password: ${TEST_PASSWORD}
+
+  parameters:
+    failOnError: true
+    failOnWarning: false
+    progressToStdout: true
+
+  vars:
+    target_url: ${TARGET_URL}
+    api_key: ${ZAP_API_KEY}
+
+jobs:
+  # Environment setup
+  - type: environment
+    parameters:
+      deleteGlobalAlerts: true
+      updateAddOns: true
+
+  # Import OpenAPI specification (if available)
+  - type: openapi
+    parameters:
+      apiFile: ${OPENAPI_SPEC_FILE}
+      apiUrl: ${TARGET_URL}
+      targetUrl: ${TARGET_URL}
+      context: WebApp-Security-Scan
+    optional: true
+
+  # Spider crawling
+  - type: spider
+    parameters:
+      context: WebApp-Security-Scan
+      user: test-user
+      maxDuration: 10
+      maxDepth: 5
+      maxChildren: 10
+      acceptCookies: true
+      handleODataParametersVisited: true
+      parseComments: true
+      parseRobotsTxt: true
+      parseSitemapXml: true
+      parseSVNEntries: true
+      parseGit: true
+      postForm: true
+      processForm: true
+      requestWaitTime: 200
+
+  # AJAX Spider for JavaScript-heavy applications
+  - type: spiderAjax
+    parameters:
+      context: WebApp-Security-Scan
+      user: test-user
+      maxDuration: 10
+      maxCrawlDepth: 5
+      numberOfBrowsers: 2
+      browserId: firefox-headless
+      clickDefaultElems: true
+      clickElemsOnce: true
+      eventWait: 1000
+      reloadWait: 1000
+    optional: true
+
+  # Wait for passive scanning to complete
+  - type: passiveScan-wait
+    parameters:
+      maxDuration: 5
+
+  # Configure passive scan rules
+  - type: passiveScan-config
+    parameters:
+      maxAlertsPerRule: 10
+      scanOnlyInScope: true
+      enableTags: true
+      disableRules:
+        - 10096  # Timestamp Disclosure (informational)
+
+  # Active scanning
+  - type: activeScan
+    parameters:
+      context: WebApp-Security-Scan
+      user: test-user
+      policy: Default Policy
+      maxRuleDurationInMins: 5
+      maxScanDurationInMins: 30
+      addQueryParam: false
+      defaultPolicy: Default Policy
+      delayInMs: 0
+      handleAntiCSRFTokens: true
+      injectPluginIdInHeader: false
+      scanHeadersAllRequests: false
+      threadPerHost: 2
+
+  # Wait for active scanning to complete
+  - type: activeScan-wait
+
+  # Generate reports
+  - type: report
+    parameters:
+      template: traditional-html
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.html
+      reportTitle: Web Application Security Assessment
+      reportDescription: Automated DAST scan using OWASP ZAP
+      displayReport: false
+
+  - type: report
+    parameters:
+      template: traditional-json
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.json
+      reportTitle: Web Application Security Assessment
+
+  - type: report
+    parameters:
+      template: traditional-xml
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.xml
+      reportTitle: Web Application Security Assessment
+
+  - type: report
+    parameters:
+      template: sarif-json
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.sarif
+      reportTitle: Web Application Security Assessment (SARIF)
+    optional: true
+
+# Alert filters (false positive suppression)
+alertFilters:
+  - ruleId: 10021
+    newRisk: Info
+    url: ".*\\.css|.*\\.js|.*cdn\\..*"
+    context: WebApp-Security-Scan
+
+  - ruleId: 10096
+    newRisk: Info
+    url: ".*api\\..*"
+    parameter: "created_at|updated_at|timestamp"
+    context: WebApp-Security-Scan
+
+# Scan policies
+policies:
+  - name: Default Policy
+    defaultStrength: Medium
+    defaultThreshold: Medium
+    rules:
+      - id: 40018  # SQL Injection
+        strength: High
+        threshold: Low
+      - id: 40012  # Cross-Site Scripting (Reflected)
+        strength: High
+        threshold: Low
+      - id: 40014  # Cross-Site Scripting (Persistent)
+        strength: High
+        threshold: Low
+      - id: 90019  # Server-Side Code Injection
+        strength: High
+        threshold: Low
+      - id: 90020  # Remote OS Command Injection
+        strength: High
+        threshold: Low