-
Documentation
-
The ZAP Desktop User Guide
-
Add-ons
-
Report Generation
-
SARIF JSON Report
SARIF JSON Report
Sample
{
"runs": [
{
"results": [
{
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "https://127.0.0.1:8080/greeting?name=%3C%2Fp%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cp%3E"
},
"region": {
"startLine": 10,
"snippet": {
"text": "<\/p><script>alert(1);<\/script><p>"
}
}
},
"properties": {
"attack": "<\/p><script>alert(1);<\/script><p>"
}
}
],
"message": {
"text": "Some other additional information which shall appear inside the message"
},
"ruleId": "40012",
"webRequest": {
"protocol": "HTTP",
"version": "1.1",
"target": "https://127.0.0.1:8080/greeting?name=%3C%2Fp%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cp%3E",
"method": "GET",
"headers": {
"Cache-Control" : "no-cache",
"Content-Length" : "0",
"Cookie" : "JSESSIONID=38AA1F7A61982DF1073D7F43A3707798; locale=de",
"Host" : "127.0.0.1:8080",
"Pragma" : "no-cache",
"Referer" : "https:\/\/127.0.0.1:8080\/hello",
"User-Agent" : "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko\/20100101 Firefox\/92.0"
},
"body": {
}
},
"webResponse": {
"statusCode": 200,
"reasonPhrase": "",
"protocol": "HTTP",
"version": "1.1",
"headers": {
"Cache-Control" : "no-cache, no-store, max-age=0, must-revalidate",
"Content-Language" : "en-US",
"Content-Security-Policy" : "script-src 'self'",
"Content-Type" : "text\/html;charset=UTF-8",
"Date" : "Thu, 11 Nov 2021 09:56:20 GMT",
"Expires" : "0",
"Pragma" : "no-cache",
"Referrer-Policy" : "no-referrer",
"Set-Cookie" : "locale=de; HttpOnly; SameSite=strict",
"Strict-Transport-Security" : "max-age=31536000 ; includeSubDomains",
"X-Content-Type-Options" : "nosniff",
"X-Frame-Options" : "DENY",
"X-XSS-Protection" : "1; mode=block"
},
"body": {
"text": "<!DOCTYPE HTML>\n<html>\n<head>\n <title>Getting Started: Serving Web Content<\/title>\n <meta http-equiv=\"Content-Type\" content=\"text\/html; charset=UTF-8\" \/>\n<\/head>\n<body>\n <!-- unsecure text used (th:utext instead th:text)- to create vulnerability (XSS) -->\n <!-- simple usage: http:\/\/localhost:8080\/greeting?name=Test2<\/p><script>;alert(\"hallo\")<\/script> -->\n <p >XSS attackable parameter output: <\/p><script>alert(1);<\/script><p>!<\/p>\n<\/body>\n<\/html>"
},
"noResponseReceived": false
}
}
],
"taxonomies": [
{
"downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.8.xml.zip",
"guid": "b000a760-3e52-3565-a35c-f61369da53b7",
"informationUri": "https://cwe.mitre.org/data/published/cwe_v4.8.pdf/",
"isComprehensive": true,
"language": "en",
"minimumRequiredLocalizedDataSemanticVersion": "4.8",
"name": "CWE",
"organization": "MITRE",
"releaseDateUtc": "2022-06-28",
"shortDescription": {
"text": "The MITRE Common Weakness Enumeration"
},
"taxa": [
{
"guid": "5dd429c8-e5e3-37a8-bf40-f7b2d72a9085",
"helpUri": "https://cwe.mitre.org/data/definitions/79.html",
"id": "79"
}
],
"version": "4.4"
}
],
"tool": {
"driver": {
"guid": "840570e4-2388-38c0-8afe-ed426f2f5199",
"informationUri": "https://www.zaproxy.org/",
"name": "ZAP",
"rules": [
{
"id": "40012",
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "CSS Description\nMultiple lines\n\nEnd"
},
"name": "Cross Site Scripting",
"properties": {
"references": [
"http://projects.webappsec.org/Cross-Site-Scripting",
"http://cwe.mitre.org/data/definitions/79.html"
],
"solution": {
"text": "Phase: 1\n\nDo ...."
},
"confidence": "medium"
},
"relationships": [
{
"kinds": [
"superset"
],
"target": {
"guid":"5dd429c8-e5e3-37a8-bf40-f7b2d72a9085",
"id": "79",
"toolComponent": {
"guid": "b000a760-3e52-3565-a35c-f61369da53b7",
"name": "CWE"
}
}
}
],
"shortDescription": {
"text": "Cross Site Scripting"
}
}
],
"semanticVersion": "Dev Build",
"supportedTaxonomies": [
{
"guid": "b000a760-3e52-3565-a35c-f61369da53b7",
"name": "CWE"
}
],
"version": "Dev Build"
}
}
}
],
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0"
}