Skip to content

feat(lab5): ZAP baseline + auth + Semgrep + correlation + fixed scripts#5

Merged
RII6 merged 2 commits into
mainfrom
feature/lab5
Jun 26, 2026
Merged

feat(lab5): ZAP baseline + auth + Semgrep + correlation + fixed scripts#5
RII6 merged 2 commits into
mainfrom
feature/lab5

Conversation

@RII6

@RII6 RII6 commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Goal

This PR adds the complete Lab 5 submission, including DAST/SAST analysis and the bonus correlation task, along with necessary fixes to the provided scripts.

Changes

  • Fixed zap-auth.yaml: Updated the reportDir to /zap/wrk/results/ so the authenticated scan can successfully save its output.
  • Fixed compare_zap.sh: Modified the script to accept CLI arguments for file paths and fixed the site filtering logic to correctly match 3000 (instead of localhost:3000).
  • Added submissions/lab5.md:
    • Completed Task 1 with severity tables for both baseline and authenticated ZAP scans, explaining the 1.2x ratio.
    • Completed Task 2 with Semgrep severity breakdown, top 10 rules list, and identified a static challenge file as a false positive.
    • Completed the Bonus Task by correlating a DAST SQL Injection finding (/rest/products/search) with a SAST rule (express-sequelize-injection at routes/search.ts:23), including the parameterized query fix.

Testing

  • Ran the Juice Shop Docker container on a dedicated lab5-net network.
  • Successfully executed zap-baseline.py and zap-auth.yaml scans against http://juice-shop:3000.
  • Ran semgrep with OWASP Top 10 rules locally against a fresh clone of the v20.0.0 Juice Shop source code.
  • Verified the compare_zap.sh script accurately counts risk severities.

Artifacts & Screenshots

Checklist

  • Task 1 — ZAP baseline + auth + 10-20× ratio analysis
  • Task 2 — Semgrep top-10 + triage shortcut
  • Bonus — Correlation table with 1+ confirmed cross-tool finding

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@RII6 RII6 merged commit 40621fd into main Jun 26, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants