Disable specific DAST plugins by default
Problem
ZAPs plugins require time to run, may generate false positives, excessive noise, or have a very low probably of finding a vulnerability because the vulnerability rarely exists in the wild anymore. Accordingly, ZAP plugins should regularly be reviewed for their efficacy. Accordingly, this issue identified vulnerabilities that should be disabled. the following list of plugins should be disabled.
Proposal
Disable the following plugins:
PluginID,Title,Default Enabled
10015,Incomplete or No Cache-control and Pragma HTTP Header Set,false
10020,X-Frame-Options Header,false
10026,HTTP Parameter Override,false
10027,Information Disclosure - Suspicious Comments,false
10044,Big Redirect Detected (Potential Sensitive Information Leak),false
10050,Retrieved from Cache,false
10052,X-ChromeLogger-Data (XCOLD) Header Information Leak,false
10053,Apache Range Header DoS (CVE-2011-3192),false
10096,Timestamp Disclosure,false
10104,User Agent Fuzzer,false
10109,Modern Web Application,false
20017,Source Code Disclosure - CVE-2012-1823,false
20018,Remote Code Execution - CVE-2012-1823,false
30001,Buffer Overflow,false
30002,Format String Error,false
30003,Integer Overflow Error,false
40009,Server Side Include,false
40023,Possible Username Enumeration,false
40028,ELMAH Information Leak,false
40029,Trace.axd Information Leak,false
40034,.env Information Leak,false
43,Source Code Disclosure - File Inclusion,false
90024,Generic Padding Oracle,false
90027,Cookie Slack Detector,false
The full list of plugins and their enabled state: https://gitlab.com/gitlab-org/gitlab/uploads/ba959df0e9d3fbdc8201066cc6fd32ac/plugins.csv
Technical details
Create a YAML file that contains the list of disabled plugins. Use zapv2.pscan.disable_scanners
and zapv2.ascan.disable_scanners
to ensure that these rules do not execute
Edited by Isaac Dawson