Skip to content

Commit

Permalink
ascanrules: Add more example alerts
Browse files Browse the repository at this point in the history 
- CHANGELOG > Add notes.
- Scan rules > Add example alert functionality (6119).
- Unit tests > Assert the new example alerts.

Signed-off-by: kingthorin <[email protected]>
  • Loading branch information
@kingthorin
kingthorin committed Mar 4, 2024
1 parent 9a28727 commit a39d7cb
Show file tree
Hide file tree
Showing 9 changed files with 139 additions and 36 deletions.
7 changes: 6 additions & 1 deletion addOns/ascanrules/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,12 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased

### Changed
- The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Source Code Disclosure - CVE-2012-1823
- Remote Code Execution - CVE-2012-1823
- Server Side Include
- Cross Site Scripting (Reflected)

## [63] - 2024-02-12
### Changed
Expand Down
12 changes: 12 additions & 0 deletions ...nrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1018,6 +1018,18 @@ public int getWascId() {
return 8;
}

@Override
public List<Alert> getExampleAlerts() {
String attack = "</p><scrIpt>alert`1`;</scRipt><p>";
return List.of(
newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setParam("name")
.setAttack(attack)
.setEvidence(attack)
.build());
}

private static class Mutation {
private char original;
private char mutation;
Expand Down
38 changes: 24 additions & 14 deletions ...ain/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
package org.zaproxy.zap.extension.ascanrules;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.httpclient.URI;
import org.apache.commons.httpclient.URIException;
Expand Down Expand Up @@ -168,20 +169,7 @@ private boolean scan(URI originalURI, URI attackURI, String payload) {
&& responseBody.startsWith(RANDOM_STRING)) {
LOGGER.debug("Remote Code Execution alert for: {}", originalURI);

// bingo.
newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setDescription(
Constant.messages.getString(
"ascanrules.remotecodeexecution.cve-2012-1823.desc"))
.setAttack(payload)
.setOtherInfo(responseBody)
.setSolution(
Constant.messages.getString(
"ascanrules.remotecodeexecution.cve-2012-1823.soln"))
.setEvidence(responseBody)
.setMessage(attackmsg)
.raise();
buildAlert(payload, responseBody).setMessage(attackmsg).raise();
return true;
}
} catch (Exception e) {
Expand All @@ -193,6 +181,19 @@ private boolean scan(URI originalURI, URI attackURI, String payload) {
return false;
}

private AlertBuilder buildAlert(String payload, String evidence) {
return newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setDescription(
Constant.messages.getString(
"ascanrules.remotecodeexecution.cve-2012-1823.desc"))
.setAttack(payload)
.setSolution(
Constant.messages.getString(
"ascanrules.remotecodeexecution.cve-2012-1823.soln"))
.setEvidence(evidence);
}

private static URI createAttackUri(URI originalURI, String attackParam) {
StringBuilder strBuilder = new StringBuilder();
strBuilder
Expand Down Expand Up @@ -230,4 +231,13 @@ public int getWascId() {
public Map<String, String> getAlertTags() {
return ALERT_TAGS;
}

@Override
public List<Alert> getExampleAlerts() {
return List.of(
buildAlert(
"<?php exec('cmd.exe /C echo mt9slj64g5yyp4yzkyqr',$colm);echo join(\"\n\",$colm);die();?>",
"mt9slj64g5yyp4yzkyqr<html><body>X Y Z</body></html>")
.build());
}
}
22 changes: 15 additions & 7 deletions ...anrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
package org.zaproxy.zap.extension.ascanrules;

import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.logging.log4j.LogManager;
Expand Down Expand Up @@ -161,13 +162,7 @@ private boolean testServerSideInclude(String parameter, String value, Pattern te

StringBuilder evidence = new StringBuilder();
if (matchBodyPattern(message, testEvidence, evidence)) {
newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setParam(parameter)
.setAttack(value)
.setEvidence(evidence.toString())
.setMessage(message)
.raise();
buildAlert(parameter, value, evidence.toString()).setMessage(message).raise();
return true;
}
} catch (IOException e) {
Expand All @@ -184,6 +179,14 @@ private boolean testServerSideInclude(String parameter, String value, Pattern te
return false;
}

private AlertBuilder buildAlert(String param, String attack, String evidence) {
return newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setParam(param)
.setAttack(attack)
.setEvidence(evidence);
}

@Override
public int getRisk() {
return Alert.RISK_HIGH;
Expand All @@ -203,4 +206,9 @@ public int getCweId() {
public int getWascId() {
return 31;
}

@Override
public List<Alert> getExampleAlerts() {
return List.of(buildAlert("profile", SSI_UNIX, patternSSIUnix.toString()).build());
}
}
31 changes: 19 additions & 12 deletions ...in/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
package org.zaproxy.zap.extension.ascanrules;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
Expand Down Expand Up @@ -169,18 +170,7 @@ public void scan() {
sourceCode = matcher2.group(1);
}

// bingo.
newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setDescription(
Constant.messages.getString(
"ascanrules.sourcecodedisclosurecve-2012-1823.desc"))
.setOtherInfo(sourceCode)
.setSolution(
Constant.messages.getString(
"ascanrules.sourcecodedisclosurecve-2012-1823.soln"))
.setMessage(attackmsg)
.raise();
buildAlert(sourceCode).setMessage(attackmsg).raise();
}
}
} catch (Exception e) {
Expand All @@ -191,6 +181,18 @@ public void scan() {
}
}

private AlertBuilder buildAlert(String otherInfo) {
return newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setDescription(
Constant.messages.getString(
"ascanrules.sourcecodedisclosurecve-2012-1823.desc"))
.setOtherInfo(otherInfo)
.setSolution(
Constant.messages.getString(
"ascanrules.sourcecodedisclosurecve-2012-1823.soln"));
}

private static URI createAttackUri(URI originalURI, String attackParam) {
StringBuilder strBuilder = new StringBuilder();
strBuilder
Expand Down Expand Up @@ -228,4 +230,9 @@ public int getWascId() {
public Map<String, String> getAlertTags() {
return ALERT_TAGS;
}

@Override
public List<Alert> getExampleAlerts() {
return List.of(buildAlert("<?php $x=0; echo '<h1>Welcome!</h1>'; ?>").build());
}
}
15 changes: 15 additions & 0 deletions ...rc/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.file.Path;
import java.util.List;
import java.util.Map;
import java.util.TreeSet;
import org.apache.commons.lang3.StringUtils;
Expand Down Expand Up @@ -93,6 +94,20 @@ void shouldReturnExpectedMappings() {
is(equalTo(CommonAlertTag.WSTG_V42_INPV_01_REFLECTED_XSS.getValue())));
}

@Test
void shouldHaveExpectedExampleAlert() {
// Given / When
List<Alert> alerts = rule.getExampleAlerts();
// Then
assertThat(alerts.size(), is(equalTo(1)));
}

@Test
@Override
public void shouldHaveValidReferences() {
super.shouldHaveValidReferences();
}

@Test
void shouldReportXssInParagraph() throws NullPointerException, IOException {
String test = "/shouldReportXssInParagraph/";
Expand Down
19 changes: 17 additions & 2 deletions .../org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

import fi.iki.elonen.NanoHTTPD.IHTTPSession;
import fi.iki.elonen.NanoHTTPD.Response;
import java.util.List;
import java.util.Map;
import org.junit.jupiter.api.Test;
import org.parosproxy.paros.core.scanner.Alert;
Expand Down Expand Up @@ -179,9 +180,10 @@ void shouldAlertIfWindowsAttackWasSuccessful() throws Exception {
"<?php exec('cmd.exe /C echo "
+ RemoteCodeExecutionCve20121823ScanRule.RANDOM_STRING
+ "',$colm);echo join(\"\n\",$colm);die();?>")));
System.out.println(alertsRaised.get(0).getAttack());
System.out.println("**" + body);
assertThat(alertsRaised.get(0).getRisk(), is(equalTo(Alert.RISK_HIGH)));
assertThat(alertsRaised.get(0).getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
assertThat(alertsRaised.get(0).getOtherInfo(), is(equalTo(body)));
}

@Test
Expand Down Expand Up @@ -227,7 +229,6 @@ void shouldAlertIfNixAttackWasSuccessful() throws Exception {
+ "',$colm);echo join(\"\n\",$colm);die();?>")));
assertThat(alertsRaised.get(0).getRisk(), is(equalTo(Alert.RISK_HIGH)));
assertThat(alertsRaised.get(0).getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
assertThat(alertsRaised.get(0).getOtherInfo(), is(equalTo(body)));
}

@Test
Expand Down Expand Up @@ -280,6 +281,20 @@ void shouldReturnExpectedMappings() {
is(equalTo(CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ.getValue())));
}

@Test
void shouldHaveExpectedExampleAlert() {
// Given / When
List<Alert> alerts = rule.getExampleAlerts();
// Then
assertThat(alerts.size(), is(equalTo(1)));
}

@Test
@Override
public void shouldHaveValidReferences() {
super.shouldHaveValidReferences();
}

private abstract static class RceResponse extends NanoServerHandler {

private final String body;
Expand Down
16 changes: 16 additions & 0 deletions ...src/test/java/org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;

import java.util.List;
import java.util.Map;
import org.junit.jupiter.api.Test;
import org.parosproxy.paros.core.scanner.Alert;
import org.zaproxy.addon.commonlib.CommonAlertTag;
import org.zaproxy.zap.model.Tech;
import org.zaproxy.zap.model.TechSet;
Expand Down Expand Up @@ -106,4 +108,18 @@ void shouldNotTargetNonLinuxMacOsWindowsTechs() {
// Then
assertThat(targets, is(equalTo(false)));
}

@Test
void shouldHaveExpectedExampleAlert() {
// Given / When
List<Alert> alerts = rule.getExampleAlerts();
// Then
assertThat(alerts.size(), is(equalTo(1)));
}

@Test
@Override
public void shouldHaveValidReferences() {
super.shouldHaveValidReferences();
}
}
15 changes: 15 additions & 0 deletions ...org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

import fi.iki.elonen.NanoHTTPD.IHTTPSession;
import fi.iki.elonen.NanoHTTPD.Response;
import java.util.List;
import java.util.Map;
import org.apache.commons.text.StringEscapeUtils;
import org.junit.jupiter.api.Test;
Expand Down Expand Up @@ -390,6 +391,20 @@ void shouldReturnExpectedMappings() {
is(equalTo(CommonAlertTag.OWASP_2017_A09_VULN_COMP.getValue())));
}

@Test
void shouldHaveExpectedExampleAlert() {
// Given / When
List<Alert> alerts = rule.getExampleAlerts();
// Then
assertThat(alerts.size(), is(equalTo(1)));
}

@Test
@Override
public void shouldHaveValidReferences() {
super.shouldHaveValidReferences();
}

private HttpMessage httpMessage404NotFound() throws Exception {
HttpMessage message = getHttpMessage("/");
message.setResponseHeader(RESPONSE_HEADER_404_NOT_FOUND);
Expand Down

0 comments on commit a39d7cb

Please sign in to comment.