0

I'm running OWASP ZAP as part of an automated CI/CD process. I am doing a spider and active scan. The report showed that there is a Path Traversal error.

First, this is an Angular 2 site so there wouldn't be anything revealed on the server. Second, when I view the URL in question with and without the "attack", the results are the same. This URL just downloads a JavaScript file to the browser and the querystring is ignored. We are using webpack to do the bundling.

https://mysite/js/vendor.ece5bf651436a14bea3e.bundle.js?query=c%3A%2F

If it is a false positive, how can we flag this so subsequent runs don't continue to flag this as an issue? We are using the weekly docker image for this automated process.

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
MikeDouglasDev
  • 1,331
  • 10
  • 22

1 Answers1

1

You can configure ZAP to automatically flag them as false positives using Context Alert Filters.

However it would be really useful if you would also raise a ZAP issue giving as much information as you can, that way we can hopefully fix the code so that it is no longer reported.

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • I added this as a ZAP issue and it was confirmed. I added the false positive context alert filters and now it is excluding the alert from automated run. Thanks for your help! – MikeDouglasDev Jul 20 '17 at 15:08