Merge pull request #430 from psiinon/af-baseline-full

AF plan examples - updated baseline and added full scan

Author: thc202

other/CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+All notable changes to the 'other' section of this repository will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+### 2024-01-16
+- Introduced this changelog
+- Added af-plans/FullScanExample.yaml
+- Updated af-plans/BaselineExample.yaml to use envvar and only run AJAX Spider if modern.

other/af-plans/BaselineExample.yaml

@@ -1,26 +1,15 @@
 ---
-# A simple plan that performs a baseline scan against example.com
-# It uses both of the spiders and just passive scanning.
+# A simple plan that performs a baseline scan against a URL in the ZAP_TARGET env var.
+# It uses the standard spider but only runs the AJAX spider if the app appears to be modern.
 # The 2 spider tests will fail as they do not find at least 100 URLs, 
 # but they do not fail the whole plan as they just report at INFO level.
 env:
   contexts:
   - name: "Example"
     urls:
-    - "https://www.example.com/"
+    - "${ZAP_TARGET}"
     includePaths: []
     excludePaths: []
-    authentication:
-      parameters: {}
-      verification:
-        method: "response"
-        pollFrequency: 60
-        pollUnits: "requests"
-    sessionManagement:
-      method: "cookie"
-      parameters: {}
-    technology:
-      exclude: []
   parameters:
     failOnError: true
     failOnWarning: false
@@ -44,10 +33,12 @@ jobs:
     value: 100
     type: "stats"
     name: "At least 100 URLs found"
+- parameters: {}
+  name: "passiveScan-wait-pre-ajax"
+  type: "passiveScan-wait"
 - parameters:
-    maxDuration: 60
-    maxCrawlDepth: 10
-    numberOfBrowsers: 1
+    maxDuration: 3
+    runOnlyIfModern: true
   name: "spiderAjax"
   type: "spiderAjax"
   tests:
@@ -59,12 +50,11 @@ jobs:
     type: "stats"
     name: "At least 100 URLs found"
 - parameters: {}
-  name: "passiveScan-wait"
+  name: "passiveScan-wait-pre-report"
   type: "passiveScan-wait"
 - parameters:
-    template: "risk-confidence-html"
+    template: "modern"
     reportTitle: "ZAP Scanning Report"
     reportDescription: ""
   name: "report"
   type: "report"
-

other/af-plans/FullScanExample.yaml

@@ -0,0 +1,67 @@
+---
+# A simple plan that performs a full scan against a URL in the ZAP_TARGET env var.
+# It uses the standard spider but only runs the AJAX spider if the app appears to be modern.
+# The 2 spider tests will fail as they do not find at least 100 URLs, 
+# but they do not fail the whole plan as they just report at INFO level.
+env:
+  contexts:
+  - name: "Example"
+    urls:
+    - "${ZAP_TARGET}"
+    includePaths: []
+    excludePaths: []
+  parameters:
+    failOnError: true
+    failOnWarning: false
+    progressToStdout: true
+  vars: {}
+jobs:
+- parameters:
+    scanOnlyInScope: true
+    enableTags: false
+  rules: []
+  name: "passiveScan-config"
+  type: "passiveScan-config"
+- parameters: {}
+  name: "spider"
+  type: "spider"
+  tests:
+  - onFail: "INFO"
+    statistic: "automation.spider.urls.added"
+    site: ""
+    operator: ">="
+    value: 100
+    type: "stats"
+    name: "At least 100 URLs found"
+- parameters: {}
+  name: "passiveScan-wait-pre-ajax"
+  type: "passiveScan-wait"
+- parameters:
+    maxDuration: 3
+    runOnlyIfModern: true
+  name: "spiderAjax"
+  type: "spiderAjax"
+  tests:
+  - onFail: "INFO"
+    statistic: "spiderAjax.urls.added"
+    site: ""
+    operator: ">="
+    value: 100
+    type: "stats"
+    name: "At least 100 URLs found"
+- parameters:
+  policyDefinition:
+    defaultStrength: "medium"
+    defaultThreshold: "medium"
+    rules: []
+  name: "activeScan"
+  type: "activeScan"
+- parameters: {}
+  name: "passiveScan-wait-pre-report"
+  type: "passiveScan-wait"
+- parameters:
+    template: "modern"
+    reportTitle: "ZAP Scanning Report"
+    reportDescription: ""
+  name: "report"
+  type: "report"