Support for importing OWASP ZAP reports and save the findings discovered by OWASP ZAP tool with the findings discovered by WAS.
Permissions required - User must have WAS module enabled. User account must have these permissions: Access Permission “API Access”, WAS Permission "Access OWASP ZAP Report" and “Import OWASP ZAP Report” .
These elements are optional and act as filters. When multiple elements are specified, parameters are combined using a logical AND.
Click here for available operators
|
Parameter |
Mandatory /Optional |
Data Type |
Description |
|---|---|---|---|
|
webAppId |
Optional |
integer |
The web application ID. This element is assigned by the service and required for an update request. |
|
purgeResults
|
Optional |
boolean |
Set to false to indicate if all previous issues for the web application should be retained. By default, it is set to false. Example: <purgeResults>false</purgeResults> |
|
closeUnreportedIssues |
Optional |
boolean |
Set to false to indicate if all previous issues for the web application should be marked as fixed and should not be reported. By default, it is set to false. <closeUnreportedIssues>false</closeUnreportedIssues> |
|
fileName |
Optional |
text |
Name of the OWAS zap XML file to be imported. If name is not specified, default format for the file name is API-ImportOwaspZap-dd-mmm-yy hh:mm:ss |
Let us import a OWASP ZAP reports for web application with webAppID equal to 29120395.
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -data-binary @<qualys_base_url>/qps/rest/3.0/import/was/owaspzap" <file.xml>
Request POST data
<ServiceRequest>
<data>
<webAppId>29120395</webAppId>
<purgeResults>false</purgeResults>
<closeUnreportedIssues>false</closeUnreportedIssues>
<fileName>testOwaspFile</fileName>
<owaspZapXml>
<OWASPZAPReport programName="OWASP ZAP" version="Dev Build" generated="Thu, 17 Nov 2022 11:03:08">
<site name="https://www.googletagservices.com" host="www.googletagservices.com" port="443" ssl="true">
<alerts>
<alertitem>
<pluginid>10035</pluginid>
<alertRef>10035</alertRef>
<alert>Strict-Transport-Security Header NotSet</alert>
<name>Strict-Transport-Security Header Not Set</name>
<riskcode>1</riskcode>
<confidence>3</confidence>
<riskdesc>Low (High)</riskdesc>
<confidencedesc>High</confidencedesc>
<desc>HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.</desc>
<instances>
<instance>
<uri>https://www.googletagservices.com/tag/js/gpt.js</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence></evidence>
<requestheader>GET https://www.googletagservices.com/tag/js/gpt.js HTTP/1.1 Host: www.googletagservices.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: */* Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://jsonlint.com/ Accept-Language: en-US,en;q=0.9 </requestheader>
<requestbody></requestbody>
<responseheader>HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/javascript Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="adsgpt-scs" Report-To: {"group":"ads-gptscs","max_age":2592000,"endpoints":[{"url&q uot;:"https://csp.withgoogle.com/csp/report-to/ads-gpt-scs"}]} Timing-Allow-Origin: * Content-Length: 80512 Date: Thu, 17 Nov 2022 05:20:21 GMT Expires: Thu, 17 Nov 2022 05:20:21 GMT Cache-Control: private, max-age=900, stale-while-revalidate=3600 ETag: "1394 / 793 of 1000 / last-modified: 1668639967" X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" </responseheader>
<responsebody>(function(E)) </responsebody>
</instance>
</instances>
<count>1</count>
<solution>Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.</solution>
<otherinfo></otherinfo>
<reference>https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Tra nsport_Security_Cheat_Sheet.html https://owasp.org/www-community/Security_Headers http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security http://caniuse.com/stricttransportsecurity http://tools.ietf.org/html/rfc6797</reference>
<cweid>319</cweid>
<wascid>15</wascid>
<sourceid>8</sourceid>
<tags>
<tag>
<tag>OWASP_2021_A05</tag>
<link>https://owasp.org/Top10/A05_2021Security_Misconfiguration/</link>
</tag>
<tag>
<tag>OWASP_2017_A06</tag>
<link>https://owasp.org/www-projecttop-ten/2017/A6_2017-Security_Misconfiguration.html</link>
</tag>
</tags>
</alertitem>
<alertitem>
<pluginid>10027</pluginid>
<alertRef>10027</alertRef>
<alert>Information Disclosure - Suspicious Comments</alert>
<name>Information Disclosure - Suspicious Comments</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<confidencedesc>Low</confidencedesc>
<desc>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.</desc>
<instances>
<instance>
<uri>https://www.googletagservices.com/tag/js/gpt.js</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>db</evidence>
<requestheader>GET https://www.googletagservices.com/tag/js/gpt.js HTTP/1.1 Host: www.googletagservices.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: */* Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://jsonlint.com/ Accept-Language: en-US,en;q=0.9 </requestheader>
<requestbody></requestbody>
<responseheader>HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/javascript </responseheader>
<responsebody>(function(E)) </responsebody>
</instance>
<instance>
<uri>https://www.googletagservices.com/tag/js/gpt.js</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>query</evidence>
<requestheader>GET https://www.googletagservices.com/tag/js/gpt.js HTTP/1.1 Host: www.googletagservices.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: */* Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://jsonlint.com/ Accept-Language: en-US,en;q=0.9 </requestheader>
<requestbody></requestbody>
<responseheader>HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/javascript Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="adsgpt-scs" Report-To: {"group":"ads-gptscs","max_age":2592000,"endpoints":[{"url&q uot;:"https://csp.withgoogle.com/csp/report-to/ads-gpt-scs"}]} Timing-Allow-Origin: * Content-Length: 80512 Date: Thu, 17 Nov 2022 05:20:21 GMT Expires: Thu, 17 Nov 2022 05:20:21 GMT Cache-Control: private, max-age=900, stale-while-revalidate=3600 ETag: "1394 / 793 of 1000 / last-modified: 1668639967" X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" </responseheader>
<responsebody>(function(E){var window=this..}); </responsebody>
</instance>
</instances>
<count>2</count>
<solution>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</solution>
<otherinfo>The following pattern was used: \bDB\b and was detected in the element starting with: "var aa,ba=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}},ca="function"= =typeof Objec", see evidence field for the suspicious comment/snippet.</otherinfo>
<reference></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>8</sourceid>
<tags>
<tag>
<tag>OWASP_2021_A01</tag>
<link>https://owasp.org/Top10/A01_2021Broken_Access_Control/</link>
</tag>
<tag>
<tag>OWASP_2017_A03</tag>
<link>https://owasp.org/www-project top-ten/2017/A3_2017-Sensitive_Data_Exposure.html</link>
</tag>
</tags>
</alertitem>
</alerts>
</site>
</OWASPZAPReport>
</owaspZapXml>
</data>
</ServiceRequest>
XML Response
<?xml version="1.0" encoding="UTF-8"?> <ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xsd/3.0/was/owaspzap.xsd"> <responseCode>SUCCESS</responseCode> <count>1</count> <data> <OwaspZap> <id>2001</id> <webApp> <id>29120395</id> <name> <![CDATA[Import Zap finding Web app1]]> </name> <url> <![CDATA[http://10.10.60.90]]> </url> </webApp> <alerts> <list> <AlertItem> <alertRef>10027</alertRef> </AlertItem> <AlertItem> <alertRef>10035</alertRef> </AlertItem> </list> </alerts> <fileName>testOwaspFile</fileName> <errorRecords> <count>0</count> </errorRecords> </OwaspZap> </data> </ServiceResponse>
<platform API server>/qps/xsd/3.0/was/owaspzap.xsd