How can I can list of alerts associated with scan rules in OWASP ZAP?

0
votes

I want to get the list of alerts in a tabular form like below. I copy the URL's in the alerts and manually prepare such a tabular table myself. However, I need to do this automatically or semi-automatically (at least)

Alert Name URL             Scan Type Scan_Name WASCID CWEID 
---------- --------------- --------- ---------  ----- ------
1
owaspzap
Could you please give an example of how you do this manually, including some sample data? It would help in understanding how to do it automaticallysamgak
ın ZAP alerts list box the alerts are listed in a grouped manner. I extend all parts of the alerts tree and select them with mouse and shift. Copy them to notepad. I later move this data to excel and separate the alert_name column and url column. Later I turn back to ZAP, clieck each alert, on right pane i see the descriptions including WASCID, Scan name so on. I go back to excel and write this information for each alert. I repeat the same alert, scan-name info for al lthe url's in that alert group.Ferda-Ozdemir-Sonmez
If this is not available having a static list of alert_name- scan rule associations will also be ok for me. So that I can query the scan rule by alert_name for each URL. I have been searching the Internet for a proper list of alert_name scan_rule associations but I couldn't find one yet.Ferda-Ozdemir-Sonmez
Please read How do I ask a question that is answerable? before attempting to ask more questions so you will be better prepared and able to ask a question that will be well received and more importantly answerable.user177800
When asking a question about a problem caused by your code, you will get much better answers if you provide code people can use to reproduce the problem. Click this comment to find out how to provide what we need to help you.user177800

1 Answers

1
votes

You can export the report in XML and apply any kind of XSL transform to it that you might like.

You could pull the XML report into Excel (or whatever spreadsheet program) and manipulate it.

You could pull alerts from the web API and have them in XML or json and process them however you like programmatically.

You could write a standalone script (within ZAP) to traverse the Alerts tree and output the details tab delimited in the script console pane. For example:

extAlert = org.parosproxy.paros.control.Control.getSingleton().
    getExtensionLoader().getExtension(
        org.zaproxy.zap.extension.alert.ExtensionAlert.NAME) 

extPscan = org.parosproxy.paros.control.Control.getSingleton().
    getExtensionLoader().getExtension(
        org.zaproxy.zap.extension.pscan.ExtensionPassiveScan.NAME);

var pf = Java.type("org.parosproxy.paros.core.scanner.PluginFactory");

printHeaders();

if (extAlert != null) {
    var Alert = org.parosproxy.paros.core.scanner.Alert;
    var alerts = extAlert.getAllAlerts();
    for (var i = 0; i < alerts.length; i++) {
        var alert = alerts[i]
        printAlert(alert);
    }
}

function printHeaders() {
    print('AlertName\tSource:PluginName\tWASC\tCWE');
}

function printAlert(alert) {
    var scanner = '';

    // If the session is loaded in ZAP and one of the extensions that provided a plugin for the 
    // existing alerts is missing (ex. uninstalled) then plugin (below) will be null, and hence scanner will end-up being empty

    if (alert.getSource() == Alert.Source.ACTIVE) {
        plugin = pf.getLoadedPlugin(alert.getPluginId());
        if (plugin != null) {
            scanner = plugin.getName();
        }
    }
    if (alert.getSource() == Alert.Source.PASSIVE && extPscan != null) {
        plugin = extPscan.getPluginPassiveScanner(alert.getPluginId());
        if (plugin != null) {
            scanner = plugin.getName();
        }
    }
    print(alert.getName() + '\t' + alert.getSource() + ':' + scanner + '\t' + alert.getWascId()  + '\t' + alert.getCweId());
    // For more alert properties see https://static.javadoc.io/org.zaproxy/zap/2.7.0/org/parosproxy/paros/core/scanner/Alert.html
}

Produces script console output like (note the 2nd, 6th, and 7th rows the specific alert name differs from the general scanner name):

Alert_Name  Source:PluginName   WASC    CWE
Cross Site Scripting (DOM Based)    ACTIVE:Cross Site Scripting (DOM Based) 8   79
Non-Storable Content    PASSIVE:Content Cacheability    13  524
Content Security Policy (CSP) Header Not Set    PASSIVE:Content Security Policy (CSP) Header Not Set    15  16
Server Leaks Version Information via "Server" HTTP Response Header Field    PASSIVE:HTTP Server Response Header Scanner 13  200
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)   PASSIVE:Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)   13  200
Non-Storable Content    PASSIVE:Content Cacheability    13  524
Timestamp Disclosure - Unix PASSIVE:Timestamp Disclosure    13  200

Which pastes well in Excel:
Script tab separated output pasted in excel Script tab separated output pasted in excel

Detailed steps:
(This assumes ZAP is running, and the session you want information for is open/loaded).

1. Goto the scripts tree (behind the Sites Tree) [if you can't see it click the plus sign near the Sites Tree tab and add "Scripts"].
2. In the Scripts tree right click "Standalone" and select "New Script": give it a name and select the JavaScript Script Engine ("EcmaScript : Oracle Nashorn") [no Template is necessary]. Click "Save" on the New Script dialog.
3. In the new script window (in the request/response area) paste the script from the answer.
4. Run it (the blue triangle play button above the script entry pane).
5. The results will display in the output pane below the script.
6. Copy/paste the output into Excel.