From 34451e036fd1f8dded126b30e6737a8ea131ef4f Mon Sep 17 00:00:00 2001 From: thc202 Date: Tue, 26 Mar 2024 09:26:52 +0000 Subject: [PATCH] Change links to use HTTPS in resource messages Change some HTTP links to HTTPS. Also remove unnecessary/misleading comments. Signed-off-by: thc202 --- addOns/ascanrules/CHANGELOG.md | 3 ++- .../zap/extension/ascanrules/resources/Messages.properties | 2 +- addOns/ascanrulesBeta/CHANGELOG.md | 3 ++- .../extension/ascanrulesBeta/resources/Messages.properties | 6 +++--- addOns/bruteforce/CHANGELOG.md | 5 ++++- .../zap/extension/bruteforce/resources/Messages.properties | 3 --- addOns/diff/CHANGELOG.md | 5 ++++- .../zap/extension/diff/resources/Messages.properties | 2 -- .../zap/extension/portscan/resources/Messages.properties | 3 +-- .../zap/extension/websocket/resources/Messages.properties | 4 ---- 10 files changed, 17 insertions(+), 19 deletions(-) diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index cb94b511901..74af8e86b16 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Changed +- Change link to use HTTPS in other info of SQL Injection - SQLite (Issue 8262). ## [64] - 2024-03-25 ### Changed diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties index d1eb437e286..38067b8b129 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties @@ -191,7 +191,7 @@ ascanrules.sqlinjection.refs = https://cheatsheetseries.owasp.org/cheatsheets/SQ ascanrules.sqlinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side.\nIf the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'\nIf the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.\nIf database Stored Procedures can be used, use them.\nDo *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!\nDo not create dynamic SQL queries using simple string concatenation.\nEscape all data received from the client.\nApply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.\nApply the principle of least privilege by using the least privileged database user possible.\nIn particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.\nGrant the minimum database access that is necessary for the application. ascanrules.sqlinjection.sqlite.alert.errorbased.extrainfo = The following known SQLite error message was provoked: [{0}]. ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, parameter value [{2}], which caused the request to take [{3}] milliseconds, when the original unmodified query with value [{4}] took [{5}] milliseconds. -ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite's dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at http://www.sqlite.org/changes.html +ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite's dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent:\n[{1}] diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md index 838a5a77ec6..80c1bd23a99 100644 --- a/addOns/ascanrulesBeta/CHANGELOG.md +++ b/addOns/ascanrulesBeta/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Changed +- Change links to use HTTPS in other info of Insecure HTTP Method (Issue 8262). ## [52] - 2024-03-25 ### Changed diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties index 6f77b0ddc58..7b6649c9133 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties @@ -89,7 +89,7 @@ ascanbeta.httpsashttp.soln = Ensure that your web server, application server, lo ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. -ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html +ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.desc = The insecure HTTP method [{0}] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the 'HttpOnly' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The 'CONNECT' method can be used by a web client to create an HTTP tunnel to third party websites or services. ascanbeta.insecurehttpmethod.detailed.name = Insecure HTTP Method - {0} ascanbeta.insecurehttpmethod.extrainfo = The OPTIONS method disclosed the following enabled HTTP methods for this resource: [{0}] @@ -98,10 +98,10 @@ ascanbeta.insecurehttpmethod.name = Insecure HTTP Method ascanbeta.insecurehttpmethod.options.exploitable.desc = This is a diagnostic method and should never be turned on in production mode. ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. -ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html +ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. -ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html +ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the 'HttpOnly' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. ascanbeta.insecurehttpmethod.trace.exploitable.extrainfo = A TRACE request was sent for this request, with a custom cookie value [{0}]. This cookie value was disclosed in the HTTP response, confirming the vulnerability. diff --git a/addOns/bruteforce/CHANGELOG.md b/addOns/bruteforce/CHANGELOG.md index 6b7210a96c1..8612086aa2f 100644 --- a/addOns/bruteforce/CHANGELOG.md +++ b/addOns/bruteforce/CHANGELOG.md @@ -5,7 +5,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Added -- Support for menu weights (Issue 8369) +- Support for menu weights (Issue 8369). + +### Changed +- Maintenance changes. ## [15] - 2023-10-12 ### Changed diff --git a/addOns/bruteforce/src/main/resources/org/zaproxy/zap/extension/bruteforce/resources/Messages.properties b/addOns/bruteforce/src/main/resources/org/zaproxy/zap/extension/bruteforce/resources/Messages.properties index d7ba7bea5ef..1ecf4248bba 100644 --- a/addOns/bruteforce/src/main/resources/org/zaproxy/zap/extension/bruteforce/resources/Messages.properties +++ b/addOns/bruteforce/src/main/resources/org/zaproxy/zap/extension/bruteforce/resources/Messages.properties @@ -1,6 +1,3 @@ -#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net) -# Note that all of the labels should be in alphabetic order, with the exception of - bruteforce.activeActionPrefix = Forced browsing: {0} bruteforce.add.dirperms.error = No write access to: diff --git a/addOns/diff/CHANGELOG.md b/addOns/diff/CHANGELOG.md index 4cb787729b3..4b9ce552bdf 100644 --- a/addOns/diff/CHANGELOG.md +++ b/addOns/diff/CHANGELOG.md @@ -5,7 +5,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Added -- Support for menu weights (Issue 8369) +- Support for menu weights (Issue 8369). + +### Changed +- Maintenance changes. ## [14] - 2023-10-12 ### Changed diff --git a/addOns/diff/src/main/resources/org/zaproxy/zap/extension/diff/resources/Messages.properties b/addOns/diff/src/main/resources/org/zaproxy/zap/extension/diff/resources/Messages.properties index 9e9867aaec4..7c652c18b93 100644 --- a/addOns/diff/src/main/resources/org/zaproxy/zap/extension/diff/resources/Messages.properties +++ b/addOns/diff/src/main/resources/org/zaproxy/zap/extension/diff/resources/Messages.properties @@ -1,5 +1,3 @@ -#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net) -# Note that all of the labels should be in alphabetic order, with the exception of diff.diff.close.button = Close diff.diff.lock.check = Lock Scrolling diff.diff.req.popup = Compare 2 Requests diff --git a/addOns/portscan/src/main/resources/org/zaproxy/zap/extension/portscan/resources/Messages.properties b/addOns/portscan/src/main/resources/org/zaproxy/zap/extension/portscan/resources/Messages.properties index 640e15f42a5..9900ec2bf11 100644 --- a/addOns/portscan/src/main/resources/org/zaproxy/zap/extension/portscan/resources/Messages.properties +++ b/addOns/portscan/src/main/resources/org/zaproxy/zap/extension/portscan/resources/Messages.properties @@ -1,4 +1,3 @@ -#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net) ports.copy.popup = Copy @@ -12,7 +11,7 @@ ports.options.title = Port Scan ports.panel.mnemonic = p ports.panel.title = Port Scan -# Port descriptions taken from http://www.iana.org/assignments/port-numbers +# Port descriptions taken from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml # Note to translators - its probably not worth translating these :) ports.port.0 = Reserved diff --git a/addOns/websocket/src/main/resources/org/zaproxy/zap/extension/websocket/resources/Messages.properties b/addOns/websocket/src/main/resources/org/zaproxy/zap/extension/websocket/resources/Messages.properties index c6b9b9fc0cf..c04ba2f62c9 100644 --- a/addOns/websocket/src/main/resources/org/zaproxy/zap/extension/websocket/resources/Messages.properties +++ b/addOns/websocket/src/main/resources/org/zaproxy/zap/extension/websocket/resources/Messages.properties @@ -1,7 +1,3 @@ -#Generated by ResourceBundle Editor (http://eclipse-rbe.sourceforge.net) -# Note that all of the labels should be in alphabetic order, with the exception of -# labels that are not really expected to be translated, such as the ports at the end of this file - websocket.api.action.sendTextMessage = Sends the specified message on the channel specified by channelId, if outgoing is 'True' then the message will be sent to the server and if it is 'False' then it will be sent to the client websocket.api.action.setBreakTextMessage = Sets the text message for an intercepted websockets message websocket.api.view.breakTextMessage = Returns a text representation of an intercepted websockets message