Comments (24)
Also if there are various alerts for a single rule it would be best to tackle them all at the same time in the same PR. (Ex: Tackle 90019*)
Edit: Which you did, perhaps unknowingly 😉
from zaproxy.
I've added a PR reference for those for which the Vulnerabilities.xml entry was adjusted but they still need examples and testing, so are not checked off (though maybe that's more 6119?).
from zaproxy.
IMO we should only check the ones that were already merged, and yes, the validation of refs should be left for other issue.
from zaproxy.
WASC is dead as far as I'm concerned so I'd suggest changing it to something else, or dropping it if you can't find something useful. When I was going through the vulnerabilities.xml changes I found that the OWASP CheetSheet project had good sources to replace WASC for a lot of things.
from zaproxy.
@thc202 Can I try https://www.zaproxy.org/docs/alerts/40013/
from zaproxy.
@jay3393 go for it!
from zaproxy.
@psiinon , i will like to work on some of this , after going through the code especially for https://www.zaproxy.org/docs/alerts/10019/
https://www.zaproxy.org/docs/alerts/10021/
i think we only need to change the message.properties file of respective alerts, am i right ?
from zaproxy.
Yes.
from zaproxy.
I would now work on https://www.zaproxy.org/docs/alerts/90019-2/
I will always edit this post when I finish or start the next one.
from zaproxy.
Better pick several and post a new comment, otherwise we will have to check the comment for edits (they don't raise notifications like new comments do).
from zaproxy.
i will work on:
https://www.zaproxy.org/docs/alerts/90011/ done
https://www.zaproxy.org/docs/alerts/20014/ done
https://www.zaproxy.org/docs/alerts/10035/ done
from zaproxy.
For 20014 please update the existing PR (if still open by then).
from zaproxy.
All the above done. General question: For some links, if you change them from HTTP to HTTPS, the link still works, but the certificate of the reference page is invalid because it is issued for the wrong domain (https://projects.webappsec.org/w/page/13246925/Fingerprinting)
Should the old reference be retained or replaced with a completely new one?
from zaproxy.
https://www.zaproxy.org/docs/alerts/3-1/ and https://www.zaproxy.org/docs/alerts/3-2/
are written 1 to 1 the same - shouldn't one of the two alerts be removed?
from zaproxy.
Yeah, it does look like these should be the same type of alerts, even though the detection code is slightly different. This would require a code change.
Thoughts @thc202 @kingthorin ?
from zaproxy.
It becomes a bigger issue to drop or renumber things. It could mess with people's alert filters.
I'd have to look at the code again to see the difference(s).
from zaproxy.
For my two cents leave it as-is for now.
from zaproxy.
I'm working through example alerts and refs in pscanrules over the weekend. I'll update the lists on both issues as I go.
from zaproxy.
Hello, @psiinon
It's Aditya again I would like to work on this issue
from zaproxy.
Reserved, go ahead :)
from zaproxy.
I'm working on
https://www.zaproxy.org/docs/alerts/40044/
from zaproxy.
Re: https://www.zaproxy.org/docs/alerts/10053/ I've checked it off as it's a deprecated rule.
Edit: Fixed on the site in zaproxy/zaproxy-website#2389
from zaproxy.
@psiinon ,
I am willing to work on https://www.zaproxy.org/docs/alerts/30003/.
if it isn't resolved.
from zaproxy.
It's not, now assigned to you.
from zaproxy.
Related Issues (20)
- API calls with an incorrect apikey should return 401 Unauthorized HOT 7
- Missing Implementation: deleteLeaf and deleteSubtree Methods HOT 3
- PII Disclosure false positive in GUIDs and similar hexadecimal strings. HOT 3
- ZAP Marketplace not loading HOT 17
- Traditional spider disappeared from GUI after autoscan specific site HOT 4
- Conflicting Selenium and Chromedriver versions when using Chrome with Docker image HOT 9
- OpenAPI import from URL timeout verbose/stacktrace HOT 4
- Error while running scan on ZAP Docker HOT 4
- zap-api-scan.py allow to use a URL when overriding hostname (`-O`) HOT 3
- MIssing icons HOT 19
- Check for updates failed HOT 2
- Webpages distinguished by URL fragment (site.com/#/abc) are neither visible nor recorded by ZAP HOT 1
- A Dev Container for ZAP based on the ZAP Stable Dockerfile HOT 3
- SSE add-on should handle empty "id" field more gracefully HOT 14
- Can ZAP docker scan multiple IPs and Ports? HOT 1
- Handle lack of disk space better HOT 4
- cannot close message box "failed to start Chrome browser" (Chrome is installed) HOT 2
- owasp/zap2docker-stable:latest - No manifest file causing build error on Jenkins HOT 7
- Fail to generate pdf report dues to SAXParseException HOT 3
- When i start the zap proxy pods without doing any hit i can see that zap proxy tries hitting some random sites HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zaproxy.