HelpUiDialogsOptionsRuleconfig
This screen allows you to configure the behaviour of specific active and passive scan rules.
Select any of the listed rows to see details of the specific configuration and to change the associated value. Both individual and all rules can be reset.
The built-in rules include:
| Name | Default | Description |
|---|---|---|
| rules.common.sleep | 15 | The length of time in seconds used for timing attacks. |
| rules.cookie.ignorelist | A comma separated list of cookie names. Cookies included in this list will be ignored when scanning for cookie related issues. | |
| rules.csrf.ignorelist | A comma separated list of identifiers. Any FORMs with a name or ID that matches one of these identifiers will be ignored when scanning for missing Anti-CSRF tokens. Only use this feature to ignore FORMs that you know are safe, for example search forms. | |
| rules.csrf.ignore.attname | The name of an HTML attribute that can be used to indicate that a form does not need an anti-CSRF Token. If rules.csrf.ignore.attvalue is specified then this must also match the attribute's value. If found any related alerts will be raised at INFO level. |
|
| rules.csrf.ignore.attvalue | The value of an HTML attribute named by rules.csrf.ignore.attname that can be used to indicate that a form does not need an anti-CSRF Token. If found any related alerts will be raised at INFO level. |
|
| rules.domains.trusted | A comma separated list of URL regex patterns. Any URLs that match the patterns will be considered trusted domains and the issues ignored. |
| UI Overview | for an overview of the user interface | |
| Options dialogs | for details of the other Options dialog screens |
-
ZAP User Guide
- Introduction
-
Getting Started
- Configuring proxies
-
Features
- Active Scan
- Add-ons
- Alerts
- Anti CSRF Tokens
- API
- Authentication
- Break Points
- Callbacks
- Contexts
- Data Driven Content
- Filters
- Globally Excluded URLs
- HTTP Sessions
- Man-in-the-middle Proxy
- Modes
- Notes
- Passive Scan
- Scan Policies
- Scope
- Session Management
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- Scanner Rules
- A Simple Penetration Test
-
The User Interface
- Overview
- The Top Level Menu
- The Top Level Toolbar
- The Tabs
-
The Dialogs
- Active Scan
- Add Alert
- Add Break Point
- Add Note
- Encode/Decode/Hash
- Filter
- Find
- History Filter
- Manual Request Editor
- Manage Add-ons
- Manage Tags
-
Options
- Active Scan
- Active Scan Input Vectors
- Alerts
- Anti CSRF Tokens
- API
- Breakpoints
- Callback Address
- Certificate
- Check for Updates
- Connection
- Database
- Display
- Dynamic SSL Certificates
- Extensions
- Global Exclude URL
- HTTP Sessions
- JVM
- Keyboard
- Language
- Local Proxies
- Passive Scan Rules
- Passive Scan Tags
- Passive Scanner
- Rule Configuration
- Scripts
- Search
- Spider
- Statistics
- Persist Session
- Resend
- Scan Policy Manager
- Scan Progress
- Session
- Spider
- The Footer
- Command Line
- Add Ons
- Releases
- Paros Proxy
- Credits
