zaproxy · psiinon · Sep 16, 2024 · Sep 5, 2024
diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Rename Mac OSX salted SHA-1 in the Hash Disclosure scan rule to "Salted SHA-1", reduce the associated alerts to Low risk and Low confidence, to align with other SHA related patterns it will only be evaluated a Low Threshold. (Note such matches may indicate leaks related but not limited to: MacOS X, Oracle, Tiger-192, Haval-192) (Issue 8624).
+- The Insecure JSF ViewState now includes example alert functionality for documentation generation purposes (Issue 6119).
 
 ## [60] - 2024-09-02
 ### Changed

diff --git a/...c/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java b/...c/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java
@@ -116,7 +116,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
                         // If the ViewState is not secured cryptographic
                         // protections then raise an alert.
                         if (!isViewStateSecure(val, msg.getRequestBody().getCharset())) {
-                            raiseAlert(msg, id, src);
+                            createAlert(src).setMessage(msg).raise();
                         }
                     }
                 }
@@ -202,17 +202,16 @@ private boolean isRawViewStateSecure(String viewState) {
         return true;
     }
 
-    private void raiseAlert(HttpMessage msg, int id, String viewState) {
-        newAlert()
+    private AlertBuilder createAlert(String viewState) {
+        return newAlert()
                 .setRisk(getRisk())
                 .setConfidence(Alert.CONFIDENCE_LOW)
                 .setDescription(getDescription())
                 .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", viewState))
                 .setSolution(getSolution())
                 .setReference(getReference())
                 .setCweId(getCweId())
-                .setWascId(getWascId())
-                .raise();
+                .setWascId(getWascId());
     }
 
     // jsf server side implementation in com.sun.faces.renderkit.ServerSideStateHelper
@@ -254,4 +253,11 @@ public int getCweId() {
     public int getWascId() {
         return 14; // WASC Id - Server Misconfiguration
     }
+
+    @Override
+    public List<Alert> getExampleAlerts() {
+        return List.of(
+                createAlert("<input type=\"hidden\" id=\"javax.faces.viewstate\" value=\"1231\"")
+                        .build());
+    }
 }
diff --git a/...ava/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java b/...ava/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java
@@ -27,6 +27,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.Base64;
+import java.util.List;
 import java.util.Map;
 import java.util.zip.GZIPOutputStream;
 import org.apache.commons.io.IOUtils;
@@ -270,4 +271,18 @@ private void setTextHtmlResponseHeader(HttpMessage msg) throws HttpMalformedHead
                         + "Server: Apache-Coyote/1.1\r\n"
                         + "Content-Type: text/html;charset=UTF-8\r\n");
     }
+
+    @Test
+    void shouldHaveExpectedExampleAlert() {
+        // Given / When
+        List<Alert> alerts = rule.getExampleAlerts();
+        // Then
+        assertThat(alerts.size(), is(equalTo(1)));
+    }
+
+    @Test
+    @Override
+    public void shouldHaveValidReferences() {
+        super.shouldHaveValidReferences();
+    }
 }