Example policy for the policy verifier extension of ZAP
- Download the zap-2.9.0-SNAPSHOT.jar
- Create a new JAVA project (or clone this one) and add this JAR as a dependency in your builder of choice, in the example project we use Gradle.
- In your default (!) package create a policy rule class which extends org.zaproxy.zap.extension.policyrulescanner.PolicyRule
- Create a constructor which takes a string argument:
public CookieAttributeRule(String policyName) { super(policyName); }
- Create a method isFlaggedBy which takes a org.parosproxy.paros.network.HttpMessage argument
You can change this method according to your desired rule functionality. The rules in this example project will give you an idea of which kind of rules you could design.
public boolean isFlaggedBy(HttpMessage msg) { return false; //change this for your rule }
- Build a jar with your builder of choice. Be sure that only the rules are in the default package and that the content of our ZAP JAR is not present in your JAR.
- Start up our ZAP, go to Options -> Policy Jar Loader -> Add.. -> navigate to your built JAR.
- You can now check on violated rules at Options -> Flagged Rule Report. Note: the name of your JAR will be used as the policy name and the name of the rules will correspond to their class names by default, you can override this by overriding resp. getPolicyName() or getName() in your rule classes.