Merge pull request #5368 from thc202/rsrcs-https

Change links to use HTTPS in resource messages

addOns/ascanrules/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Change link to use HTTPS in other info of SQL Injection - SQLite (Issue 8262).
 
 ## [64] - 2024-03-25
 ### Changed

addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties

@@ -191,7 +191,7 @@ ascanrules.sqlinjection.refs = https://cheatsheetseries.owasp.org/cheatsheets/SQ
 ascanrules.sqlinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side.\nIf the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'\nIf the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.\nIf database Stored Procedures can be used, use them.\nDo *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!\nDo not create dynamic SQL queries using simple string concatenation.\nEscape all data received from the client.\nApply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.\nApply the principle of least privilege by using the least privileged database user possible.\nIn particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.\nGrant the minimum database access that is necessary for the application.
 ascanrules.sqlinjection.sqlite.alert.errorbased.extrainfo = The following known SQLite error message was provoked: [{0}].
 ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, parameter value [{2}], which caused the request to take [{3}] milliseconds, when the original unmodified query with value [{4}] took [{5}] milliseconds.
-ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite's dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at http://www.sqlite.org/changes.html
+ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite's dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https://www.sqlite.org/changes.html
 ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite
 
 ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent:\n[{1}]

addOns/ascanrulesBeta/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Change links to use HTTPS in other info of Insecure HTTP Method (Issue 8262).
 
 ## [52] - 2024-03-25
 ### Changed

addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties

@@ -89,7 +89,7 @@ ascanbeta.httpsashttp.soln = Ensure that your web server, application server, lo
 ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method.  This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. 
 ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server.
 ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource.
-ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html
+ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html
 ascanbeta.insecurehttpmethod.desc = The insecure HTTP method [{0}] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the 'HttpOnly' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The 'CONNECT' method can be used by a web client to create an HTTP tunnel to third party websites or services.
 ascanbeta.insecurehttpmethod.detailed.name = Insecure HTTP Method - {0}
 ascanbeta.insecurehttpmethod.extrainfo = The OPTIONS method disclosed the following enabled HTTP methods for this resource: [{0}]
@@ -98,10 +98,10 @@ ascanbeta.insecurehttpmethod.name = Insecure HTTP Method
 ascanbeta.insecurehttpmethod.options.exploitable.desc = This is a diagnostic method and should never be turned on in production mode.
 ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods
 ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource.
-ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html
+ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html
 ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD
 ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource..
-ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html
+ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html
 ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods.
 ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the 'HttpOnly' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability.
 ascanbeta.insecurehttpmethod.trace.exploitable.extrainfo = A TRACE request was sent for this request, with a custom cookie value [{0}]. This cookie value was disclosed in the HTTP response, confirming the vulnerability.

addOns/bruteforce/CHANGELOG.md

@@ -5,7 +5,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Added
-- Support for menu weights (Issue 8369)
+- Support for menu weights (Issue 8369).
+
+### Changed
+- Maintenance changes.
 
 ## [15] - 2023-10-12
 ### Changed

addOns/bruteforce/src/main/resources/org/zaproxy/zap/extension/bruteforce/resources/Messages.properties

@@ -1,6 +1,3 @@
-#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net)
-# Note that all of the labels should be in alphabetic order, with the exception of
-
 bruteforce.activeActionPrefix = Forced browsing: {0}
 
 bruteforce.add.dirperms.error = No write access to: 

addOns/diff/CHANGELOG.md

@@ -5,7 +5,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Added
-- Support for menu weights (Issue 8369)
+- Support for menu weights (Issue 8369).
+
+### Changed
+- Maintenance changes.
 
 ## [14] - 2023-10-12
 ### Changed

addOns/diff/src/main/resources/org/zaproxy/zap/extension/diff/resources/Messages.properties

@@ -1,5 +1,3 @@
-#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net)
-# Note that all of the labels should be in alphabetic order, with the exception of
 diff.diff.close.button = Close
 diff.diff.lock.check = Lock Scrolling
 diff.diff.req.popup = Compare 2 Requests

addOns/portscan/src/main/resources/org/zaproxy/zap/extension/portscan/resources/Messages.properties

@@ -1,4 +1,3 @@
-#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net)
 
 ports.copy.popup = Copy
 
@@ -12,7 +11,7 @@ ports.options.title = Port Scan
 
 ports.panel.mnemonic = p
 ports.panel.title = Port Scan
-# Port descriptions taken from http://www.iana.org/assignments/port-numbers
+# Port descriptions taken from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
 # Note to translators - its probably not worth translating these :)
 
 ports.port.0 = Reserved

addOns/websocket/src/main/resources/org/zaproxy/zap/extension/websocket/resources/Messages.properties

@@ -1,7 +1,3 @@
-#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net)
-# Note that all of the labels should be in alphabetic order, with the exception of
-# labels that are not really expected to be translated, such as the ports at the end of this file
-
 websocket.api.action.sendTextMessage = Sends the specified message on the channel specified by channelId, if outgoing is 'True' then the message will be sent to the server and if it is 'False' then it will be sent to the client
 websocket.api.action.setBreakTextMessage = Sets the text message for an intercepted websockets message
 websocket.api.view.breakTextMessage = Returns a text representation of an intercepted websockets message