zaproxy
zaproxy copied to clipboard
zaproxy
full path disclosure check : inspathx
enhancement request
check : http://code.google.com/p/inspathx/
basic tool working.
require : local copy of website and remote site url.
will try to access all pages directly and see if some path disclosure error occurs.
this same functionality could be added in the ZAP active scanner to look at all the
crawled pages directly in random order without any parameter. and if any error is displayed
an issue could be marked.
Note : if such facility already exist then this issue should be closed however do inform
about how its done.
Original issue reported on code.google.com by [email protected] on 2012-11-08 09:44:37
See: https://github.com/zaproxy/zaproxy/issues/413#issuecomment-1790891861
Theres probably a lot of overlap with the Brute Force tool.
Right click a URL in ZAP, select "Attack" / " "Brute Force site".
However inspathx may be better/faster at discovering some URLs, so be very happy for
someone to create an extension for it :)
Original issue reported on code.google.com by psiinon on 2012-11-08 10:45:23
- Labels added: Type-Enhancement
- Labels removed: Type-Defect
https://github.com/CodeVigilant/error_finder
a python script we wrote a couple of months back which does a decent job of finding
full path disclosures.
Original issue reported on code.google.com by [email protected] on 2014-11-29 08:39:25
Hi , I would like to tackle this issue any pointers on where to start with the code base?
I'd like to work on this issue since it is still open (full path disclosure add-on).
Greetings! I would like to work on this addOn. Here is what I understand so far, Randomly calling routes or calling routes without the right parameters and the developers not validating the inputs properly, causes an error on the server which might reveal the root directory of the application. This can be then used to perform different kinds of attacks. So I have to write an addOn in the ZAP extension Ascanrules which detects these errors and possible full paths being disclosed. These are the steps I will take
- Get the url of the website eg : http://example.com/
- Get the root of the directory used to host the website on the local machine. say /home/project/
- Recursively send requests to
"http://example.com/"+ the files belonging to/home/project/and all of it's sub directories. - for every response check if the returned data has the full path disclosed.
- if yes, flag it has a vulnerability
Question:
- On every route, do I only send a
GETrequest as implemented here or a bunch of requests as mentioned in the example section of This OWASP article - Is checking for the words
notice|warning|parse|fatal|errorenough to flag as a potential FPD vuln or do I have to perform more complex pattern matching to determine if the path is disclosed.
I'm quite new to open source and this is my first time contributing to OWASP! So please excuse me if I'm trying to clarify a lot of obvious things :)
Hi @ganesh-dagadi this issue is quite old and not completely still well planned for 2023.
To me there are two things here: One would be a passive rule that looks for path disclosures the other would be a spider I guess that uses a local source code folder to build paths to request....
The core team have just discussed this and the 2nd part is partially covered by Force Browse and https://github.com/secdec/attack-surface-detector-zap. Further it would be best from our perspective to integrate with or inject info from SAST in order to get paths/route to try (which is out of scope of this issue).
However, if you wanted to tackle a passive rule that looks for path disclosures that'd be fine. We suggest raising the alerts as low confidence and only at informational/low risk.
- https://www.zaproxy.org/docs/developer/
- https://github.com/zaproxy/zap-extensions/tree/main/addOns/pscanrulesAlpha
- https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md
Ok I will work on the passive rule. Seems like a good place to begin contributing.