-
-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ascanrulesBeta: Address possible FP in proxy detection rule #5718
base: main
Are you sure you want to change the base?
Conversation
e0c29af
to
44b000e
Compare
...ulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
Outdated
Show resolved
Hide resolved
44b000e
to
b491554
Compare
Tweaked |
...ulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
Outdated
Show resolved
Hide resolved
...ain/javahelp/org/zaproxy/zap/extension/ascanrulesBeta/resources/help/contents/ascanbeta.html
Outdated
Show resolved
Hide resolved
"X-Forwarded-For: 76.69.54.171", "X-Forwarded-For: 127.0.0.1", | ||
"X-Forwarded-Host: api.test.glaypen.garnercorp.com", "X-Forwarded-Port: 443", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better remove public IPs and domains, there are also headers being tested that wouldn't raise an alert anyway. It's missing Via (for completeness). Also, would be good that the server behaviour did raise an alert if it wasn't for the evidence being already present.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test is still not testing the expected code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I glossed over your second point about the served content. Will adjust.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do plan to work through this, but it's gonna take a bit longer to get the nano handler setup for all the pre-checks.
.../src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
824b5df
to
f62d8fa
Compare
Got all those I think. |
...ulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
Show resolved
Hide resolved
f62d8fa
to
ed90ba4
Compare
- CHANGELOG > Added change note. - ProxyDisclosureScanRule > Added condition to skip messages if they have evidence content to start with. Removed misleading Attack text from the Alert. - ProxyDisclosureScanRuleUnitTest > Added a test to assert the new behavior. Signed-off-by: kingthorin <[email protected]>
ed90ba4
to
e4cf659
Compare
Overview
Related Issues
Fixes zaproxy/zaproxy#8556
Checklist
./gradlew spotlessApply
for code formatting