Skip to content

Latest commit

 

History

History

passive

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
CookieHTTPOnly.js
CookieHTTPOnly.js
 
 
Find Credit Cards.js
Find Credit Cards.js
 
 
Find Emails.js
Find Emails.js
 
 
Find HTML Comments.js
Find HTML Comments.js
 
 
Find Hashes.js
Find Hashes.js
 
 
Find IBANs.js
Find IBANs.js
 
 
Find Internal IPs.js
Find Internal IPs.js
 
 
HUNT.py
HUNT.py
 
 
JavaDisclosure.js
JavaDisclosure.js
 
 
Mutliple Security Header Check.js
Mutliple Security Header Check.js
 
 
README.md
README.md
 
 
RPO.js
RPO.js
 
 
Report non static sites.js
Report non static sites.js
 
 
SQL injection detection.js
SQL injection detection.js
 
 
Server Header Disclosure.js
Server Header Disclosure.js
 
 
Telerik Using Poor Crypto.js
Telerik Using Poor Crypto.js
 
 
Upload form discovery.js
Upload form discovery.js
 
 
X-Powered-By_header_checker.js
X-Powered-By_header_checker.js
 
 
clacks.js
clacks.js
 
 
detect_csp_notif_and_reportonly.js
detect_csp_notif_and_reportonly.js
 
 
detect_samesite_protection.js
detect_samesite_protection.js
 
 
f5_bigip_cookie_internal_ip.js
f5_bigip_cookie_internal_ip.js
 
 
find base64 strings.js
find base64 strings.js
 
 
find_reflected_params.py
find_reflected_params.py
 
 
google_api_keys_finder.js
google_api_keys_finder.js
 
 
s3.js
s3.js
 
 

README.md

Passive Rule scripts

These detect potential vulnerabilities by passively analysing traffic to and from the target, run as part of the Passive Scanner and can be individually enabled.

JavaScript template

// Passive scan rules should not make any requests 

// Note that new passive scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"  

var PluginPassiveScanner = Java.type("org.zaproxy.zap.extension.pscan.PluginPassiveScanner");

/**
 * Passively scans an HTTP message. The scan function will be called for 
 * request/response made via ZAP, actual messages depend on the function
 * "appliesToHistoryType", defined below.
 * 
 * @param ps - the PassiveScan parent object that will do all the core interface tasks 
 *     (i.e.: providing access to Threshold settings, raising alerts, etc.). 
 *     This is an ScriptsPassiveScanner object.
 * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
 * @param src - the Jericho Source representation of the message being scanned.
 */
function scan(ps, msg, src) {
	// Test the request and/or response here
	if (true) {	// Change to a test which detects the vulnerability
		// risk: 0: info, 1: low, 2: medium, 3: high
		// confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
		ps.newAlert()
			.setRisk(1)
			.setConfidence(1)
			.setName('Passive Vulnerability title')
			.setDescription('Full description')
			.setParam('The param')
			.setEvidence('Evidence')
			.setOtherInfo('Any other info')
			.setSolution('The solution')
			.setReference('References')
			.setCweId(0)
			.setWascId(0)
			.raise();
		
		//addTag(String tag)
		ps.addTag('tag')			
	}
	
	// Raise less reliable alert (that is, prone to false positives) when in LOW alert threshold
	// Expected values: "LOW", "MEDIUM", "HIGH"
	if (ps.getAlertThreshold() == "LOW") {
		// ...
	}
}

/**
 * Tells whether or not the scanner applies to the given history type.
 *
 * @param {Number} historyType - The ID of the history type of the message to be scanned.
 * @return {boolean} Whether or not the message with the given type should be scanned by this scanner.
 */
function appliesToHistoryType(historyType) {
	// For example, to just scan spider messages:
	// return historyType == org.parosproxy.paros.model.HistoryReference.TYPE_SPIDER;

	// Default behaviour scans default types.
	return PluginPassiveScanner.getDefaultHistoryTypes().contains(historyType);
}

Parameters

Name JavaDoc
ps ScriptsPassiveScanner
msg HttpMessage
source Source
historyType int

Templates in other languages

Official Videos

ZAP In Ten: Passive Scan Scripts (11:55)