I'd like to know how to exclude certain responses from the alert tab?
If there is a way.
Can't find any.
For example if the response page reports "character to number conversion error" I'd like to tell the zap attack proxy that this ain't a vulnerability but a correct response and therefore it shall not appear in the alert tab.
Double click the alert, and then change the "Confidence" to "False positive", it will stay in the Alerts tab but not be included in reports.
Or you can right click the alert and "Delete" it, but it can then be raised again by the active or passive scanner. That why we have the "False positive" setting.
FYI we have a ZAP Users group which is probably more suitable for questions like this (as Stackoverflow is a general forum): http://groups.google.com/group/zaproxy-users
That linked off the ZAP "Online / ZAP User Group" menu item, which is apparently invisible as no one seems to spot it ;)
Simon (ZAP Project lead)
Related
I have configured a G Suite market place application and it's still in the test level. After filling the configuration page of the market application I got a button named "Integrate with Google" in the top of the Marketplace SDK configuration page
After clicking the button I get a pop up with the title "Domain wide install" there we have the "Continue" button. Previously that button redirected users to the consent screen, but it doesn't redirect to anything now. I did not change anything in the configuration so I guess this is probably a change from Google side.
Please let me know what the issue is?
There is an open Issue on Google's Issue tracker about this at:
https://issuetracker.google.com/153243016
You should add a start next to the issue number, for it to get more visibility.
How can I exclude POST requests in OWASP ZAP? It is spamming a lot of forms and contact forms and therefore interrupting the normal operations of a website. Can I exclude this with a regex or is there an option build in?
In the Active Scan dialog check the 'Show advanced options' box.
You will then see more tabs - select the 'Input Vectors' ta and then deselect the 'POST Data' target. For help on this dialog click the help button - the help is also online here: https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsAdvascan
You can also create different policies via the Scan Policy Manager :)
Simon (ZAP Project Lead)
while using fiddler, i have put a "break on all posts" in my filters.. and have saved some old responses for certain requests in my AutoResponders
A point to note about these requests is that all these requests go to the same URL with different Request body.. thus, although the URL is same for all these requests, their expected responses are different..
For this, i need to put a "break on all posts" and then as the requests are held by fiddler, i go to the AutoResponder tab and select the response which i want to put, then again go back to the inspector tab click on "run to completion".. then for the next request again i move back to the AutoResponder, click back the response i want to provide then again to inspector then "run to completion"..
if by some way, i could separate these two tabs - inspector and autoresponder, i can simply have these tabs stay side by side and do my tasks easier way..
if you have some other alternative too for my scenario, kindly suggest.
Simply change your AutoResponder match rule to use the UrlWithBody prefix so that you don't need a manual step.
https://alsalamanty.com/
http://alsalamanty.com/
I`m a developer of Facebook login app for website. When I'm trying to save changes in my Facebook web-application settings, getting this error "Site URL has been been identified as malicious and/or abusive." I can't save anything while field "Site URL" contains my domain name. What am I supposed to do?
Go to facebook.com . Try to share the url. You will get a dialog saying the url is bad and in the button there will be a link if you don't agree and you want to report it.
simple solution is to disable facebook button, so that facebvook change their aggressive globalism political tactic of changing their ways for developers constantly forcing to change their code, like google does with google login.
Other solution is to, according to:
https://www.forbes.com/sites/caroltice/2013/03/15/when-facebook-calls-you-abusive-reclaim-your-reputation/
First go to:
https://global.sitesafety.trendmicro.com/
and check if your URL appears as non safe or as Untested
Click on reclassify --> url reclassification request
Then select the option SAFE
Suggest a category
Add your email
click the button to proceed, then go to yuour email and click the link that trendmicro sent to you, then wait
other links:
https://global.sitesafety.trendmicro.com/index.php
https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html
Using the Facebook enhanced auth dialog, the dialog itself shows a blue button to confirm the app at the user side. The text of this button could be:
Add to Facebook
Log in with Facebook
Go to App
Play Game
Is there any way to choose the displayed? For example I would like to use Log in with, but I always get Go to App.
Yes, you have to configure your application correctly per the blog article you got that info from ;)
http://developers.facebook.com/blog/post/2012/03/02/enhanced-auth-dialog-and-updates-to-permissions/
New button text
In the enhanced auth dialog, the button text will be one of four
cases: "Add to Facebook", "Log in with Facebook", “Go to App”, or
"Play Game". Each of these were extensively tested and showed that
more specific calls to action help users better understand the auth
process. As the first point of contact for an app, it’s important for
the auth dialog to exhibit a great user experience.
See our Open Graph documentation to learn more about permissions and
configuring the enhanced auth dialog.
And most importantly a quote from Lu's, the blog author, response to that same question from Sven Gali (oh svengali!):
the four cases are context-sensitive and currently, there is no
control for you to pick a particular button text. We show different
button text in different situations, as we've found that users are
more likely to install your application if the call-to-action text
aligns with their expectations. Thus, the logic currently is something
like*:
if the user has already installed the app and you are requesting additional permissions that includes "publish_actions", we use "Add to
Facebook"
if you're a game app, we use "Play Game"
if your auth dialog is shown in display=popup (e.g. after user clicks a "Log In with Facebook" fb:login button), we use "Log In with
Facebook"
in other situations, we use "Go to App"
*Obligatory Disclaimer: We may adjust the logic tree in the future without notice, as we're constantly testing variations to improve the
user-auth experience. But hopefully this is helpful so you can at
least understand how it is currently functioning under the hood :)
Note that Facebook appear to be adding more variants to this set of 4 now. I've noticed that newspaper apps generally have the text 'Read this article' as the button text.