0

I work a lot with OWASP Zap, and I am very satisfied. Nevertheless, I have the problem with all my scans that I always have false positives in the PiiScan area. Among other things, Googlemaps numbers, or product numbers are recognized as Visa card numbers.

I have not seen any way to prevent this, but I am looking for a way to secure the PiiScanns to get real results.

How can this be avoided within Owasp Zap?

Are there any settings to get a better PiiScann?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Mornon
  • 131
  • 6

1 Answers1

2

The PII rule was updated in the last release to fix some issues: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/CHANGELOG.md

But we also have an open issue: https://github.com/zaproxy/zaproxy/issues/6639 - why not comment on that or open a new issue. If we can make it more acurate without missing some valid use cases then we will.

Simon Bennetts
  • 1,490
  • 8
  • 10
  • Hello Simon first of all thank you for the quick response.

    I will open a new bug with you, and describe the issue accordingly with some more background information.

    The question here, can we as a first interim solution exclude certain pages that contain product numbers, or Googlemaps values from PII scan?

    Or maybe as a solution mark whole pages accordingly that you can exclude?

     – Mornon Jul 07 '21 at 11:53
  • 1
    We have a FAQ for that :) https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/ – Simon Bennetts Jul 07 '21 at 12:27