From 6a33a894f58221acb8ef495b4970c130ce38257b Mon Sep 17 00:00:00 2001 From: iagoscm Date: Sun, 28 Jul 2024 15:44:00 -0300 Subject: [PATCH 1/2] ascanrules: adds buildAlert and getExampleAlerts methods --- .../ascanrules/PersistentXssScanRule.java | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java index 0bbd572b771..99979894600 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java @@ -680,6 +680,29 @@ public void scan(HttpMessage sourceMsg, String param, String value) { } } + @Override + public List getExampleAlerts() { + return List.of( + buildAlert( + "https://example.com/comments", + "comment", + "", + 'P', + "HTTP/1.1 500 Internal Server Error") + .build()); + } + + private AlertBuilder buildAlert( + String url, String param, String attack, char type, String evidence) { + return newAlert() + .setConfidence(Alert.CONFIDENCE_HIGH) + .setUri(url) + .setParam(param) + .setAttack(attack) + .setOtherInfo(getError(type)) + .setEvidence(evidence); + } + @Override public int getRisk() { return Alert.RISK_HIGH; From fcddefe529d89981d359f877afeb24fd4bc8c16a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Morbeck?= Date: Tue, 13 Aug 2024 17:12:00 -0300 Subject: [PATCH 2/2] ascanrules: adds Alert test --- addOns/ascanrules/CHANGELOG.md | 2 ++ .../ascanrules/PersistentXssScanRuleUnitTest.java | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index 1c1c3534e21..fde09cb2880 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased +### Changed +- The Cross Site Scripting rule now includes example alert functionality for documentation generation purposes (Issue 6119) ## [67] - 2024-07-22 diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java index 284bf659f02..677736aeafd 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRuleUnitTest.java @@ -24,8 +24,10 @@ import static org.hamcrest.Matchers.is; import java.util.Map; +import java.util.List; import org.junit.jupiter.api.Test; import org.zaproxy.addon.commonlib.CommonAlertTag; +import org.parosproxy.paros.core.scanner.Alert; /** Unit test for {@link PersistentXssScanRule}. */ class PersistentXssScanRuleUnitTest extends ActiveScannerTest { @@ -62,4 +64,16 @@ void shouldReturnExpectedMappings() { tags.get(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getTag()), is(equalTo(CommonAlertTag.WSTG_V42_INPV_02_STORED_XSS.getValue()))); } + + @Test + void shouldHaveExpectedExampleAlert() { + List alerts = rule.getExampleAlerts(); + assertThat(alerts.size(), is(equalTo(1))); + } + + @Test + @Override + public void shouldHaveValidReferences() { + super.shouldHaveValidReferences(); + } }