I decided to put all found hosts in the Default Context.
The tricky part is that since we feed Selenium tests through the proxy before the scan starts we don't know upfront which hosts will be found. This add-on requires the target applications to be in the context of ZAP. With the script below you can provide the specific URL, parameter, and vulnerability type in order to mark it as a false positive. You find out that a particular finding is a false positive which shows up in the report each time. The HTML report is saved afterwards in for example Jenkins. The scenario is as follows: a target application exists which is continously scanned in the development pipeline. I wrote a small Proof Of Concept below demonstrating the plugin's usage. Thus it can be used through scripting to set false positives before a scan starts! This add-on creates a new endpoint which is accessible through ZAPs REST API.
#OWASP ZAP VS BURP SUITE INSTALL#
You can install this plugin by simply copying the file to the plugins directory in the ZAP installation location. The OWASP ZAP Alert Filter add-on allows you to automatically override the risk levels of any alerts raised by the active and passive scan rules within a context. Using this approach causes such findings to be ignored and skipped when they are encountered during the active scan. The obvious solution therefore would be to set false positives in advance using a script. These automated security tools are fully controlled by scripts in the build pipeline. How can you mark findings as false positives in that case? I encountered this problem in my previous set-ups. But things get tricky when they are integrated in a Systems Development Life Cycle (SDLC) and there is no user interaction involved. This is trivial when one uses these automated tools manually from their computer. Luckily however these tools all have options to mark findings as false positive so they will be excluded from the report. Unfortunately they also have their downsides.Īnyone who uses tools like Burp Suite or OWASP ZAP has to deal with false positives. Automated security tools have many advantages they save time, they enable finding security vulnerabilities without the need for user interaction and deliver instant reports.