zaproxy
zaproxy copied to clipboard
zaproxy
New common getExampleAlerts() method
This is for all scan rules - active, passive, http, websocket, future ones :)
The method is proposed to be a 'defacto standard' for now: List<Alert> getExampleAlerts()
It will be accessed by the generate_alert_pages.js script using introspection. This script generates the https://www.zaproxy.org/docs/alerts/ pages.
At the moment the script can only cope with one alert per add-on, while many addons generate several.
Ease of maintenance is key - this new method should call any suitable existing methods - if they don't exist the new ones could be created.
Release & beta rules with little to no info which should implement this new method asap:
- [x] https://www.zaproxy.org/docs/alerts/10003/ Vulnerable JS Library
- [x] https://www.zaproxy.org/docs/alerts/10020/ X-Frame-Options Header
- [x] https://www.zaproxy.org/docs/alerts/10032/ Viewstate
The plan is to only expose the information currently on the alert pages, so URLs can be https://www.example.com
Any new generic text created for these alerts should be i18n'd
| State | ID | Name | Class |
|---|---|---|---|
| ✅ PR#4242 | 0 | Directory Browsing | DirectoryBrowsingScanRule |
| ✅ PR#4242 | 2 | Private IP Disclosure | InfoPrivateAddressDisclosureScanRule |
| ✅ PR#4242 | 3 | Session ID in URL Rewrite | InfoSessionIdUrlScanRule |
| ✅ | 6 | Path Traversal | PathTraversalScanRule |
| ✅ | 7 | Remote File Inclusion | RemoteFileIncludeScanRule |
| ✅ PR#4567 | 41 | Source Code Disclosure - Git | SourceCodeDisclosureGitScanRule |
| ✅ zaproxy/zap-extensions#5205 | 42 | Source Code Disclosure - SVN | SourceCodeDisclosureSvnScanRule |
| ✅ PR#4702 | 43 | Source Code Disclosure - File Inclusion | SourceCodeDisclosureFileInclusionScanRule |
| ✅ zaproxy/zap-extensions#4540 | 10009 | In Page Banner Information Leak | InPageBannerInfoLeakScanRule |
| ✅ | 10010 | Cookie No HttpOnly Flag | CookieHttpOnlyScanRule |
| ✅ | 10011 | Cookie Without Secure Flag | CookieSecureFlagScanRule |
| ✅ PR#4706 | 10015 | Re-examine Cache-control Directives | CacheControlScanRule |
| ✅ zaproxy/zap-extensions#4547 | 10017 | Cross-Domain JavaScript Source File Inclusion | CrossDomainScriptInclusionScanRule |
| ✅ zaproxy/zap-extensions#5186 | 10019 | Content-Type Header Missing | ContentTypeMissingScanRule |
| ✅ | 10020 | Anti-clickjacking Header | AntiClickjackingScanRule |
| ✅ zaproxy/zap-extensions#5186 | 10021 | X-Content-Type-Options Header Missing | XContentTypeOptionsScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10023 | Information Disclosure - Debug Error Messages | InformationDisclosureDebugErrorsScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10024 | Information Disclosure - Sensitive Information in URL | InformationDisclosureInUrlScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10025 | Information Disclosure - Sensitive Information in HTTP Referrer Header | InformationDisclosureReferrerScanRule |
| ✅ zaproxy/zap-extensions#4540 | 10026 | HTTP Parameter Override | ServletParameterPollutionScanRule |
| ✅ zaproxy/zap-extensions#4640 | 10027 | Information Disclosure - Suspicious Comments | InformationDisclosureSuspiciousCommentsScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10028 | Open Redirect | UserControlledOpenRedirectScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10029 | Cookie Poisoning | UserControlledCookieScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10030 | User Controllable Charset | UserControlledCharsetScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10031 | User Controllable HTML Element Attribute (Potential XSS) | UserControlledHTMLAttributesScanRule |
| ✅ | 10032 | Viewstate | ViewstateScanRule |
| ✅ zaproxy/zap-extensions#4537 | 10033 | Directory Browsing | DirectoryBrowsingScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10034 | Heartbleed OpenSSL Vulnerability (Indicative) | HeartBleedScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10035 | Strict-Transport-Security Header | StrictTransportSecurityScanRule |
| ✅ PR#4097 | 10036 | HTTP Server Response Header | ServerHeaderInfoLeakScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10037 | Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) | XPoweredByHeaderInfoLeakScanRule |
| ✅ PR#4338 | 10038 | Content Security Policy (CSP) Header Not Set | ContentSecurityPolicyMissingScanRule |
| ✅ PR#4677 | 10039 | X-Backend-Server Header Information Leak | XBackendServerInformationLeakScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10040 | Secure Pages Include Mixed Content | MixedContentScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10041 | HTTP to HTTPS Insecure Transition in Form Post | InsecureFormLoadScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10042 | HTTPS to HTTP Insecure Transition in Form Post | InsecureFormPostScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10043 | User Controllable JavaScript Event (XSS) | UserControlledJavascriptEventScanRule |
| ✅ PR#5153 | 10044 | Big Redirect Detected (Potential Sensitive Information Leak) | BigRedirectsScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10045 | Source Code Disclosure - /WEB-INF folder | SourceCodeDisclosureWebInfScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10047 | HTTPS Content Available via HTTP | HttpsAsHttpScanRule |
| ✅ zaproxy/zap-extensions#5242 | 10048 | Remote Code Execution - Shell Shock | ShellShockScanRule |
| ✅ PR#4097 | 10049 | Content Cacheability | CacheableScanRule |
| ✅ zaproxy/zap-extensions#5242 | 10050 | Retrieved from Cache | RetrievedFromCacheScanRule |
| ✅ zaproxy/zap-extensions#5329 | 10051 | Relative Path Confusion - AB | RelativePathConfusionScanRule |
| ✅ PR#4705 | 10052 | X-ChromeLogger-Data (XCOLD) Header Information Leak | XChromeLoggerDataInfoLeakScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10054 | Cookie without SameSite Attribute | CookieSameSiteScanRule |
| ✅ | 10055 | CSP | ContentSecurityPolicyScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10056 | X-Debug-Token Information Leak | XDebugTokenScanRule |
| ✅ | 10057 | Username Hash Found | UsernameIdorScanRule |
| ✅ zaproxy/zap-extensions#5181 | 10058 | GET for POST | GetForPostScanRule |
| ✅ PR#4625 | 10061 | X-AspNet-Version Response Header | XAspNetVersionScanRule |
| ✅ | 10062 | PII Disclosure | PiiScanRule |
| ✅ | 10063 | Permissions Policy Header Not Set | PermissionsPolicyScanRule |
| ✅ zaproxy/zap-extensions#4502 | 10094 | Base64 Disclosure | Base64Disclosure |
| ✅ zaproxy/zap-extensions#5251 | 10095 | Backup File Disclosure | BackupFileDisclosureScanRule |
| ✅ zaproxy/zap-extensions#5251 | 10096 | Timestamp Disclosure | TimestampDisclosureScanRule |
| ✅ zaproxy/zap-extensions#5251 | 10097 | Hash Disclosure | HashDisclosureScanRule |
| ✅ zaproxy/zap-extensions#5251 | 10098 | Cross-Domain Misconfiguration | CrossDomainMisconfigurationScanRule |
| ✅ zaproxy/zap-extensions#4502 | 10099 | Source Code Disclosure | SourceCodeDisclosureScanRule |
| ✅ PR#4839 | 10101 | Access Control Issue - Improper Authentication | AccessControlAlertsProcessor |
| ✅ PR#4839 | 10102 | Access Control Issue - Improper Authorization | AccessControlAlertsProcessor |
| ✅ | 10104 | User Agent Fuzzer | UserAgentScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10105 | Weak Authentication Method - P | InsecureAuthenticationScanRule |
| ✅ PR#4752 | 10106 | HTTP Only Site | HttpOnlySiteScanRule |
| ✅ zaproxy/zap-extensions#5291 | 10107 | Httpoxy - Proxy Header Misuse - AB | HttPoxyScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10108 | Reverse Tabnabbing - P | LinkTargetScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10109 | Modern Web Application - P | ModernAppDetectionScanRule |
| ✅ | 10110 | Dangerous JS Functions | JsFunctionScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10202 | Absence of Anti-CSRF Tokens - P | CsrfCountermeasuresScanRule |
| ✅ zaproxy/zap-extensions#5291 | 20012 | Anti-CSRF Tokens Check - AB | CsrfTokenScanRule |
| ✅ zaproxy/zap-extensions#5291 | 20014 | HTTP Parameter Pollution - AB | HttpParameterPollutionScanRule |
| ✅ zaproxy/zap-extensions#5181 | 20015 | Heartbleed OpenSSL Vulnerability | HeartBleedActiveScanRule |
| ✅ zaproxy/zap-extensions#5291 | 20016 | Cross-Domain Misconfiguration - AB | CrossDomainScanRule |
| ✅ zaproxy/zap-extensions#5335 | 20017 | Source Code Disclosure - CVE-2012-1823 - A | SourceCodeDisclosureCve20121823ScanRule |
| ✅ zaproxy/zap-extensions#5335 | 20018 | Remote Code Execution - CVE-2012-1823 - A | RemoteCodeExecutionCve20121823ScanRule |
| ✅ | 20019 | External Redirect | ExternalRedirectScanRule |
| ✅ | 30001 | Buffer Overflow | BufferOverflowScanRule |
| ✅ PR#4623 | 30002 | Format String Error | FormatStringScanRule |
| ✅ zaproxy/zap-extensions#5329 | 30003 | Integer Overflow Error - AB | IntegerOverflowScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40003 | CRLF Injection | CrlfInjectionScanRule |
| ✅ PR#4624 | 40008 | Parameter Tampering | ParameterTamperScanRule |
| ✅ zaproxy/zap-extensions#5335 | 40009 | Server Side Include - A | ServerSideIncludeScanRule |
| ✅ zaproxy/zap-extensions#5335 | 40012 | Cross Site Scripting (Reflected) - A | CrossSiteScriptingScanRule |
| ❌ | 40013 | Session Fixation - AB | SessionFixationScanRule |
| PR#5660 | 40014 | Cross Site Scripting (Persistent) - A | PersistentXssScanRule |
| ❌ | 40015 | LDAP Injection - AA | LdapInjectionScanRule |
| 🚫 N/A | 40016 | Cross Site Scripting (Persistent) - Prime - A | PersistentXssPrimeScanRule |
| 🚫 N/A | 40017 | Cross Site Scripting (Persistent) - Spider - A | PersistentXssSpiderScanRule |
| ❌ | 40018 | SQL Injection - A | SqlInjectionScanRule |
| ❌ | 40019 | SQL Injection - MySQL - A | SqlInjectionMySqlScanRule |
| ❌ | 40020 | SQL Injection - Hypersonic SQL - A | SqlInjectionHypersonicScanRule |
| ❌ | 40021 | SQL Injection - Oracle - A | SqlInjectionOracleScanRule |
| ❌ | 40022 | SQL Injection - PostgreSQL - A | SqlInjectionPostgreScanRule |
| ❌ | 40023 | Possible Username Enumeration - AB | UsernameEnumerationScanRule |
| ❌ | 40024 | SQL Injection - SQLite - A | SqlInjectionSqLiteScanRule |
| 🚧 @kingthorin | 40025 | Proxy Disclosure - AB | ProxyDisclosureScanRule |
| ❌ | 40027 | SQL Injection - MsSQL - A | SqlInjectionMsSqlScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40028 | ELMAH Information Leak | ElmahScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40029 | Trace.axd Information Leak | TraceAxdScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40032 | .htaccess Information Leak | HtAccessScanRule |
| ❌ | 40033 | NoSQL Injection - MongoDB - AA | MongoDbInjectionScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40034 | .env Information Leak | EnvFileScanRule |
| ✅ | 40035 | Hidden File Finder | HiddenFilesScanRule |
| ✅ | 40038 | Bypassing 403 | ForbiddenBypassScanRule |
| ❌ | 40039 | Web Cache Deception - AA | WebCacheDeceptionScanRule |
| ✅ | 40040 | CORS Header | CorsScanRule |
| ✅ PR#5661 | 40042 | Spring Actuator Information Leak - A | SpringActuatorScanRule |
| ✅ | 40043 | Log4Shell | Log4ShellScanRule |
| ✅ | 40044 | Exponential Entity Expansion (Billion Laughs Attack) | ExponentialEntityExpansionScanRule |
| ✅ | 40045 | Spring4Shell | Spring4ShellScanRule |
| ✅ PR#5688 | 90001 | Insecure JSF ViewState - P | InsecureJsfViewStatePassiveScanRule |
| ✅ zaproxy/zap-extensions#4540 | 90002 | Java Serialization Object | JsoScanRule |
| ✅ zaproxy/zap-extensions#4540 | 90003 | Sub Resource Integrity Attribute Missing | SubResourceIntegrityAttributeScanRule |
| ✅ zaproxy/zap-extensions#4502 | 90004 | Insufficient Site Isolation Against Spectre Vulnerability | SiteIsolationScanRule |
| 🚧 @kingthorin | 90011 | Charset Mismatch - P | CharsetMismatchScanRule |
| ✅ zaproxy/zap-extensions#5706 | 90017 | XSLT Injection - A | XsltInjectionScanRule |
| ✅ | 90019 | Server Side Code Injection | CodeInjectionScanRule |
| ✅ zaproxy/zap-extensions#5181 | 90020 | Remote OS Command Injection | CommandInjectionScanRule |
| ✅ zaproxy/zap-extensions#5706 | 90021 | XPath Injection - A | XpathInjectionScanRule |
| ✅ | 90022 | Application Error Disclosure | ApplicationErrorScanRule |
| 🚧 zaproxy/zap-extensions#5760 | 90023 | XML External Entity Attack - A | XxeScanRule |
| ✅ zaproxy/zap-extensions#5181 | 90024 | Generic Padding Oracle | PaddingOracleScanRule |
| ✅ zaproxy/zap-extensions#5626 | 90025 | Expression Language Injection - AB | ExpressionLanguageInjectionScanRule |
| ✅ zaproxy/zap-extensions#5626 | 90027 | Cookie Slack Detector - AB | SlackerCookieScanRule |
| ❌ | 90028 | Insecure HTTP Method - AB | InsecureHttpMethodScanRule |
| ✅ PR#4825 | 90033 | Loosely Scoped Cookie | CookieLooselyScopedScanRule |
| ✅ | 90034 | Cloud Metadata Potentially Exposed | CloudMetadataScanRule |
| ✅ zaproxy/zap-extensions#5499 | 90035 | Server Side Template Injection - A | SstiScanRule |
| ✅ zaproxy/zap-extensions#5499 | 90036 | Server Side Template Injection (Blind) - A | SstiBlindScanRule |
Is this going to be added to core and subsequently implemented/overridden by scan rules?
Yeah, latest plan is to change the core interfaces, but I'll aim to implement the method for the rules in the first comment and we can see how well it works. The script already uses introspection so it should be able to cope without the core changes. We can add a new 'ScanRule' interface with just this method (?) to the core then the other interfaces can extend it.
Sounds good.
One thing to keep in mind some i18n messages require replacements/insertions (I dunno what the proper term is). So dummy values will have to be passed for those. (The whole some.key=Some interesting message about {0} type thing 😉 )
Yeah - thats what I meant by the i18n part - in case we need to introduce new more generic strings.
Example of what one of the rules which raises multiple alerts would look like.
Currently its mostly blank :/ https://www.zaproxy.org/docs/alerts/10020/
On all those that remain to be done at this point I've added initials to clarify things a bit.
A - ascanrules
AB - ascanrulesBeta
AA - ascanrulesAlpha
P - pscanrules
PB - pscanrulesBeta
PA - pscanrulesAlpha
Hello! I'm looking upon to work on this issue with a friend of mine, we are trying to get into some repository on OWASP and this one is one of the most engaged, but we don't understand a lot of the field, and we confess we are a little bit lost on this, how could we start to work on it?
I'd suggest having a look at some of the PRs that have already contributed to this (see links/refs above). Then look at the rules that have work outstanding (there's a table above, anything with a ❌ still needs work). Let us know which few you think you can tackle and we'll block them off for you. (I'd definitely suggest tackling singles or a small batch for your first contribution.)
Please be sure to let us know if you decide to tackle some, so that we can ensure to mark them and not end-up with people tackling overlapping work :wink:
Hey @kingthorin, sorry for keep you waiting. I decided I'm going to try to tackle "PersistentXssScanRule"
Hello guys, would love to tackle this issue. Would you guys say any of the SQL Injection alerts are good for a first contribution on this issue?
Thought you were tackling "PersistentXssScanRule".
I haven't reviewed the SQLi rules recently.
@kingthorin I think you are confusing me with @iagoscm . Im new to this issue.
@kingthorin I'll try to tackle SpringActuatorScanRule, could you assign it to me?