# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0	WARN	(Directory Browsing - Active/release)
10003	WARN	(Vulnerable JS Library - Passive/release)
10010	FAIL	(Cookie No HttpOnly Flag - Passive/release)
10011	FAIL	(Cookie Without Secure Flag - Passive/release)
10015	WARN	(Incomplete or No Cache-control Header Set - Passive/release)
10016	FAIL	(Web Browser XSS Protection Not Enabled)
10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019	WARN	(Content-Type Header Missing - Passive/release)
10020	FAIL	(X-Frame-Options Header - Passive/release)
10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
10023	WARN	(Information Disclosure - Debug Error Messages - Passive/release)
10024	FAIL	(Information Disclosure - Sensitive Information in URL - Passive/release)
10025	FAIL	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026	WARN	(HTTP Parameter Override - Passive/beta)
10027	WARN	(Information Disclosure - Suspicious Comments - Passive/release)
10028	FAIL	(Open Redirect - Passive/beta)
10029	WARN	(Cookie Poisoning - Passive/beta)
10030	WARN	(User Controllable Charset - Passive/beta)
10031	WARN	(User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032	WARN	(Viewstate - Passive/release)
10033	WARN	(Directory Browsing - Passive/beta)
10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035	FAIL	(Strict-Transport-Security Header - Passive/beta)
10036	WARN	(HTTP Server Response Header - Passive/beta)
10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038	FAIL	(Content Security Policy (CSP) Header Not Set - Passive/beta)
10039	WARN	(X-Backend-Server Header Information Leak - Passive/beta)
10040	FAIL	(Secure Pages Include Mixed Content - Passive/release)
10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043	FAIL	(User Controllable JavaScript Event (XSS) - Passive/beta)
10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/release)
10047	WARN	(HTTPS Content Available via HTTP - Active/beta)
10048	FAIL	(Remote Code Execution - Shell Shock - Active/beta)
10050	WARN	(Retrieved from Cache - Passive/beta)
10051	WARN	(Relative Path Confusion - Active/beta)
10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053	WARN	(Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054	WARN	(Cookie without SameSite Attribute - Passive/release)
10055	WARN	(CSP - Passive/release)
10056	WARN	(X-Debug-Token Information Leak - Passive/release)
10057	WARN	(Username Hash Found - Passive/release)
10058	FAIL	(GET for POST - Active/beta)
10061	WARN	(X-AspNet-Version Response Header - Passive/release)
10062	FAIL	(PII Disclosure - Passive/beta)
10095	IGNORE	(Backup File Disclosure - Active/beta)
10096	WARN	(Timestamp Disclosure - Passive/release)
10097	WARN	(Hash Disclosure - Passive/beta)
10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
10104	WARN	(User Agent Fuzzer - Active/beta)
10105	WARN	(Weak Authentication Method - Passive/release)
10106	IGNORE	(HTTP Only Site - Active/beta)
10107	WARN	(Httpoxy - Proxy Header Misuse - Active/beta)
10108	WARN	(Reverse Tabnabbing - Passive/beta)
10109	WARN	(Modern Web Application - Passive/beta)
10202	FAIL	(Absence of Anti-CSRF Tokens - Passive/release)
2	WARN	(Private IP Disclosure - Passive/release)
20012	FAIL	(Anti-CSRF Tokens Check - Active/beta)
20014	WARN	(HTTP Parameter Pollution - Active/beta)
20015	WARN	(Heartbleed OpenSSL Vulnerability - Active/beta)
20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
20017	FAIL	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018	FAIL	(Remote Code Execution - CVE-2012-1823 - Active/beta)
20019	WARN	(External Redirect - Active/release)
3	WARN	(Session ID in URL Rewrite - Passive/release)
30001	WARN	(Buffer Overflow - Active/release)
30002	WARN	(Format String Error - Active/release)
30003	WARN	(Integer Overflow Error - Active/beta)
40003	WARN	(CRLF Injection - Active/release)
40008	WARN	(Parameter Tampering - Active/release)
40009	WARN	(Server Side Include - Active/release)
40012	FAIL	(Cross Site Scripting (Reflected) - Active/release)
40013	FAIL	(Session Fixation - Active/beta)
40014	FAIL	(Cross Site Scripting (Persistent) - Active/release)
40016	FAIL	(Cross Site Scripting (Persistent) - Prime - Active/release)
40017	FAIL	(Cross Site Scripting (Persistent) - Spider - Active/release)
40018	FAIL	(SQL Injection - Active/release)
40019	FAIL	(SQL Injection - MySQL - Active/beta)
40020	FAIL	(SQL Injection - Hypersonic SQL - Active/beta)
40021	FAIL	(SQL Injection - Oracle - Active/beta)
40022	FAIL	(SQL Injection - PostgreSQL - Active/beta)
40023	FAIL	(Possible Username Enumeration - Active/beta)
40024	FAIL	(SQL Injection - SQLite - Active/beta)
40025	FAIL	(Proxy Disclosure - Active/beta)
40026	FAIL	(Cross Site Scripting (DOM Based) - Active/beta)
40027	FAIL	(SQL Injection - MsSQL - Active/beta)
40028	WARN	(ELMAH Information Leak - Active/release)
40029	WARN	(Trace.axd Information Leak - Active/beta)
40032	FAIL	(.htaccess Information Leak - Active/release)
40034	FAIL	(.env Information Leak - Active/beta)
40035	FAIL	(Hidden File Finder - Active/beta)
41	FAIL	(Source Code Disclosure - Git  - Active/beta)
42	WARN	(Source Code Disclosure - SVN - Active/beta)
43	WARN	(Source Code Disclosure - File Inclusion - Active/beta)
50000	WARN	(Script Active Scan Rules - Active/release)
50001	WARN	(Script Passive Scan Rules - Passive/release)
6	WARN	(Path Traversal - Active/release)
7	WARN	(Remote File Inclusion - Active/release)
90001	WARN	(Insecure JSF ViewState - Passive/release)
90011	WARN	(Charset Mismatch - Passive/release)
90017	WARN	(XSLT Injection - Active/beta)
90019	WARN	(Server Side Code Injection - Active/release)
90020	FAIL	(Remote OS Command Injection - Active/release)
90021	WARN	(XPath Injection - Active/beta)
90022	WARN	(Application Error Disclosure - Passive/release)
90023	WARN	(XML External Entity Attack - Active/beta)
90024	WARN	(Generic Padding Oracle - Active/beta)
90025	WARN	(Expression Language Injection - Active/beta)
90026	WARN	(SOAP Action Spoofing - Active/alpha)
90027	IGNORE	(Cookie Slack Detector - Active/beta)
90028	WARN	(Insecure HTTP Method - Active/beta)
90029	WARN	(SOAP XML Injection - Active/alpha)
90030	WARN	(WSDL File Detection - Passive/alpha)
90033	WARN	(Loosely Scoped Cookie - Passive/release)
90034	WARN	(Cloud Metadata Potentially Exposed - Active/beta)