For source code please refer to-https://github.com/atulsharmacsk/OWASPZAP_DEMO/tree/Demo_Part2
For previous videos in the series please refer to-
https://youtube.com/playlist?list=PLBZUXrmykGn3uJ-6-EBhC6j6Uwxm-PNBi
Agenda
- Enabling test case execution from maven/cmd line and passing api key as a parameter
- Exploring various reporting attributes from genrateReport method of ZapUtil. (https://www.zaproxy.org/docs/desktop/addons/report-generation/api/)
- Understanding the meaning of some important terms like Strength, Threshold, Passive scan rules, Policies, Confidence
Few important terms discussed -
Strength. (Intensity of attack, only for active scan)
This controls the number of attacks that ZAP will perform.
If you select Low then fewer attacks will be used which will be quicker but may miss some issues.
If you select High then more attacks will be used which may find more issues but will take longer.
threshold. (Once a Threshold is crossed only then alert are raised)
This controls how likely ZAP is to report potential threat.
If you select Off then the scan rule won’t run.
If you select Low then more potential issues will be raised which mean there can be lot unsignificant threats reported.
If you select High then fewer potential issues will be raised which may mean that some real issues are missed.
Policy - A way to provide different strengthe and threshold levels to various type of threat.
Can be found in Policy Manager.
Passive Scan- Passive Scan rules
Active Scan- we use policies.
Confidence: -"confidence" of or in the finding. In other word how sure ZAP is in the finding/alert.
