This add-on supports the Automation Framework.
The sequence-import job allows you to create a Sequence from an HAR file.
- type: sequence-import # Imports a sequence from a HAR file.
parameters:
name: # The name by which the seq will be known in ZAP.
path: # The full/relative path to the HAR file to import.
assertCode: # Boolean, if true add status code assertion.
assertLength: # Integer, if supplied then add approx len assertion (value between 0 and 100).
This job will automatically detect any HTTP Form parameters that are used in future requests and add Zest assignments to handle them.
The sequence-activeScan job allows you to active scan sequences.
- type: sequence-activeScan # Active scans one or all sequences.
parameters:
sequence: # String: The name of the sequence, or empty to active scan all sequences.
context: # String: Context to use when active scanning, default: first context.
user: # String: An optional user to use for authentication, must be defined in the env.
policy: # String: Name of the scan policy to be used, default: Sequence.
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
name: # Comment: The name of the rule for documentation purposes - this is not required or actually used
strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
tests:
- name: 'test one' # Name of the test, optional
type: alert # Specifies that the test is of type 'alert'
action: passIfPresent/passIfAbsent # String: The condition (presence/absence) of the alert, default: passIfAbsent
scanRuleId: # Integer: The id of the scanRule which generates the alert, mandatory
alertName: # String: The name of the alert generated, optional
url: http://www.example.com/path # String: The url of the request corresponding to the alert generated, optional
method: # String: The method of the request corresponding to the alert generated, optional
attack: # String: The actual attack which generated the alert, optional
param: # String: The parameter which was modified to generate the alert, optional
evidence: # String: The evidence corresponding to the alert generated, optional
confidence: # String: The confidence of the alert, one of 'False Positive', 'Low', 'Medium', 'High', 'Confirmed', optional
risk: # String: The risk of the alert, one of 'Informational', 'Low', 'Medium', 'High', optional
otherInfo: # String: Addional information corresponding to the alert, optional
onFail: 'info' # String: One of 'warn', 'error', 'info', mandatory
Note : Unless the defaultThreshold of the policyDefinition is OFF all rules will be enabled to start with.