Skip to content

Commit

Permalink
Merge pull request #5329 from kingthorin/ab-examples
Browse files Browse the repository at this point in the history 
ascanrulesBeta: Add more example alerts
  • Loading branch information
@psiinon
psiinon authored Mar 4, 2024
2 parents fb03796 + 5320bae commit 9a28727
Show file tree
Hide file tree
Showing 6 changed files with 89 additions and 14 deletions.
6 changes: 6 additions & 0 deletions addOns/ascanrulesBeta/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Updated reference for scan rule: Possible Username Enumeration (Issue 8262)
- Cookie Slack Detector scan rule now has a more specific CWE.
- Possible Username Enumeration scan rule now includes CWE-204 as a reference link.
- The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Relative Path Confusion
- Integer Overflow Error

### Removed
- Removed HTTP only reference for scan rule: Integer Overflow Error (Issue 8262)

## [51] - 2024-02-16
### Changed
Expand Down
37 changes: 30 additions & 7 deletions ...sBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
package org.zaproxy.zap.extension.ascanrulesBeta;

import java.io.IOException;
import java.util.List;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
Expand Down Expand Up @@ -205,13 +206,12 @@ private boolean attackVector(String param, char type, String returnAttack) {
sendAndReceive(msg);
if (isPage500(msg)) {
LOGGER.debug("Found Header");
newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setUri(this.getBaseMsg().getRequestHeader().getURI().toString())
.setParam(param)
.setAttack(returnAttack)
.setOtherInfo(this.getError(type))
.setEvidence(msg.getResponseHeader().getPrimeHeader())
buildAlert(
getBaseMsg().getRequestHeader().getURI().toString(),
param,
returnAttack,
type,
msg.getResponseHeader().getPrimeHeader())
.setMessage(msg)
.raise();
return true;
Expand All @@ -221,4 +221,27 @@ private boolean attackVector(String param, char type, String returnAttack) {
}
return false;
}

@Override
public List<Alert> getExampleAlerts() {
return List.of(
buildAlert(
"https://example.com/?years=1",
"years",
"95697568703220167658153205694899573480013738",
'1',
"HTTP/1.1 500 Internal Server Error")
.build());
}

private AlertBuilder buildAlert(
String url, String param, String attack, char type, String evidence) {
return newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setUri(url)
.setParam(param)
.setAttack(attack)
.setOtherInfo(this.getError(type))
.setEvidence(evidence);
}
}
26 changes: 20 additions & 6 deletions ...src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -617,13 +617,8 @@ public void scan() {
MESSAGE_PREFIX + "extrainfo.nocontenttype");
}

// alert it..
newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
buildAlert(hackedUri.toString(), extraInfo, relativeReferenceEvidence)
.setUri(getBaseMsg().getRequestHeader().getURI().toString())
.setAttack(hackedUri.toString())
.setOtherInfo(extraInfo)
.setEvidence(relativeReferenceEvidence)
.setMessage(hackedMessage)
.raise();

Expand All @@ -642,6 +637,14 @@ public void scan() {
}
}

private AlertBuilder buildAlert(String attack, String otherInfo, String evidence) {
return newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setAttack(attack)
.setOtherInfo(otherInfo)
.setEvidence(evidence);
}

@Override
public int getRisk() {
return Alert.RISK_MEDIUM; // Medium or High? We'll see what the community consensus is..
Expand All @@ -661,4 +664,15 @@ public int getWascId() {
public Map<String, String> getAlertTags() {
return ALERT_TAGS;
}

@Override
public List<Alert> getExampleAlerts() {
return List.of(
buildAlert(
"https://example.com/profile/ybpsv/bqmmn/?foo=bar",
Constant.messages.getString(
MESSAGE_PREFIX + "extrainfo.nocontenttype"),
"background: url(image.png)")
.build());
}
}
2 changes: 1 addition & 1 deletion ...src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code chan
ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones.
ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines.
ascanbeta.integeroverflow.name = Integer Overflow Error
ascanbeta.integeroverflow.refs = https://en.wikipedia.org/wiki/Integer_overflow\nhttps://cwe.mitre.org/data/definitions/190.html\nhttp://projects.webappsec.org/w/page/13246946/Integer%20Overflows
ascanbeta.integeroverflow.refs = https://en.wikipedia.org/wiki/Integer_overflow\nhttps://cwe.mitre.org/data/definitions/190.html
ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable.

ascanbeta.name = Active Scan Rules - beta
Expand Down
16 changes: 16 additions & 0 deletions ...c/test/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,10 @@
import static org.hamcrest.Matchers.not;

import fi.iki.elonen.NanoHTTPD;
import java.util.List;
import java.util.Map;
import org.junit.jupiter.api.Test;
import org.parosproxy.paros.core.scanner.Alert;
import org.parosproxy.paros.network.HttpMessage;
import org.zaproxy.addon.commonlib.CommonAlertTag;
import org.zaproxy.zap.model.Tech;
Expand Down Expand Up @@ -157,4 +159,18 @@ void shouldReturnExpectedMappings() {
tags.get(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()),
is(equalTo(CommonAlertTag.OWASP_2017_A01_INJECTION.getValue())));
}

@Test
void shouldHaveExpectedExampleAlert() {
// Given / When
List<Alert> alerts = rule.getExampleAlerts();
// Then
assertThat(alerts.size(), is(equalTo(1)));
}

@Test
@Override
public void shouldHaveValidReferences() {
super.shouldHaveValidReferences();
}
}
16 changes: 16 additions & 0 deletions .../java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;

import java.util.List;
import java.util.Map;
import org.junit.jupiter.api.Test;
import org.parosproxy.paros.core.scanner.Alert;
import org.zaproxy.addon.commonlib.CommonAlertTag;

class RelativePathConfusionScanRuleUnitTest
Expand Down Expand Up @@ -58,4 +60,18 @@ void shouldReturnExpectedMappings() {
tags.get(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag()),
is(equalTo(CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getValue())));
}

@Test
void shouldHaveExpectedExampleAlert() {
// Given / When
List<Alert> alerts = rule.getExampleAlerts();
// Then
assertThat(alerts.size(), is(equalTo(1)));
}

@Test
@Override
public void shouldHaveValidReferences() {
super.shouldHaveValidReferences();
}
}

0 comments on commit 9a28727

Please sign in to comment.