|
| 1 | +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> |
| 2 | +<html> |
| 3 | +<head> |
| 4 | + <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> |
| 5 | + <title> |
| 6 | + Alert Tags |
| 7 | + </title> |
| 8 | +</head> |
| 9 | +<body> |
| 10 | +<h1>Alert Tags</h1> |
| 11 | + |
| 12 | +The Common Library add-on provides Alert Tags for use by scan rules. |
| 13 | + |
| 14 | +<p> |
| 15 | +Of note the following tags/groups of tags are included: |
| 16 | +<ul> |
| 17 | + <li>Custom Payloads - A tag which indicates the scan rules which support <a href="https://www.zaproxy.org/docs/desktop/addons/custom-payloads/">Custom Payloads functionality</a>.</li> |
| 18 | + <li>HIPAA (Health Insurance Portability and Accountability Act) - A tag representing alerts/rules which we've mapped to the HIPAA standard.</li> |
| 19 | + <li>OWASP Top 10 (2017) - Tags representing the risks/vulnerabilities from the 2017 OWASP Top 10 list.</li> |
| 20 | + <li>OWASP Top 10 (2021) - Tags representing the risks/vulnerabilities from the 2021 OWASP Top 10 list.</li> |
| 21 | + <li>PCI DSS (Payment Card Industry Data Security Standard) - A tag representing alerts/rules which we've mapped to the PCI DSS standard.</li> |
| 22 | + <li>Test Timing - A tag which represent rules/alerts which are based on time (induced delay) payloads.</li> |
| 23 | + <li>OWASP Web Security Testing Guide (v4.2) - Tags which map rules/alerts to the relevant sections of the OWASP WSTG (version 4.2).</li> |
| 24 | +</ul> |
| 25 | + |
| 26 | +<h2 id="compliance">Compliance Tags</h2> |
| 27 | + |
| 28 | +Please note that the PCI DSS and HIPAA standards deal with specific types of data, while an identified vulnerability may expose |
| 29 | +such data ZAP has insufficient context with which to differentiate what is or might be exposed by leveraging a given vulnerability. |
| 30 | +If the system being tested does not hold any such data then the related compliance tag <strong>may</strong> not be relevant. |
| 31 | +<p> |
| 32 | +See also:<br> |
| 33 | +<ul> |
| 34 | + <li><a href="https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html">HIPAA</a>.</li> |
| 35 | + <li><a href="https://www.pcisecuritystandards.org/standards/pci-dss/">PCI DSS</a>.</li> |
| 36 | +</ul> |
| 37 | + |
| 38 | +<h2>CVE Tags</h2> |
| 39 | +Any alert that involves a specific CVE will (generally) also have a tag for |
| 40 | +that specific CVE identifier with a value that links to Mitre's National |
| 41 | +Vulnerability Database (NVD). |
| 42 | + |
| 43 | +<h2>Policy Tags</h2> |
| 44 | +The add-on also provides a set of Alert Tags which associate various rule |
| 45 | +types or focus areas to scan policies, see the |
| 46 | +<a href="https://www.zaproxy.org/docs/desktop/addons/scan-policies/">Scan |
| 47 | +Policies add-on help</a> for further details. |
| 48 | + |
| 49 | +</body> |
| 50 | +</html> |
0 commit comments