Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pscanrules: Reduce Suspicious Comments rule JS FPs #5813

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

kingthorin
Copy link
Member

@kingthorin kingthorin commented Oct 13, 2024

Overview

  • CHANGELOG > Added fix note.
  • InformationDisclosureSuspiciousCommentsScanRule > Updated handling to target comments in JavaScript more specifically & skip font requests.
  • InformationDisclosureSuspiciousCommentsScanRuleUnitTest > Updated and added tests.
  • Messages.properties > Updated to detail/report the findings more specifically based on the new behavior.

Note: The regexes used for JS comments are based on https://github.com/antlr/grammars-v4/blob/c82c128d980f4ce46fb3536f87b06b45b9619922/javascript/javascript/JavaScriptLexer.g4#L49-L50

Related Issues

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

@kingthorin kingthorin force-pushed the sus-comm-fp branch 2 times, most recently from 93a5cfd to 031dd13 Compare October 13, 2024 02:50
@kingthorin kingthorin force-pushed the sus-comm-fp branch 2 times, most recently from e40a6e1 to a1483ab Compare October 13, 2024 11:16
@kingthorin
Copy link
Member Author

Tweaked

@kingthorin kingthorin force-pushed the sus-comm-fp branch 3 times, most recently from abcb851 to ae5659e Compare October 17, 2024 10:40
@kingthorin
Copy link
Member Author

Fixed

@thc202 thc202 changed the title pscanrules: Address Suspicious Comments rule JS FPs pscanrules: Reduce Suspicious Comments rule JS FPs Oct 25, 2024
@thc202
Copy link
Member

thc202 commented Oct 25, 2024

There's a typo in the commit/PR description b>.

@kingthorin kingthorin force-pushed the sus-comm-fp branch 2 times, most recently from 0d17f9c to e7cb14e Compare October 31, 2024 10:54
@kingthorin
Copy link
Member Author

As far as performance goes here's what I've been able to find:

Live perf examples
https://www.bell.ca/Bell-bundles/Internet-Mobility

Old

78160783 [ZAP-IO-Server-1-44] INFO  org.zaproxy.zap.extension.websocket.WebSocketProxy - collection.decibelinsight.net:443 (#6) is excluded from storage & UI!
78161331 [ZAP-PassiveScan-2] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 7 seconds to scan https://www.bell.ca/Bell-bundles/Internet-Mobility text/html; charset=UTF-8 961304
78165329 [ZAP-PassiveScan-5] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 11 seconds to scan https://assets.adobedtm.com/launch-ENebd7a9b148404f67903d514c40949f24.min.js application/x-javascript 567091
78165338 [ZAP-PassiveScan-6] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 7 seconds to scan https://www.bell.ca/ruxitagentjs_ICA7NQVfghqrux_10299241001084140.js text/javascript; charset=utf-8 341434
78166382 [ZAP-PassiveScan-8] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://www.bell.ca/ruxitagentjs_D_10299241001084140.js text/javascript; charset=utf-8 43211
78168938 [ZAP-PassiveScan-4] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://www.googletagmanager.com/gtag/js?id=AW-953414520 application/javascript; charset=UTF-8 289075
78170511 [ZAP-PassiveScan-1] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 6 seconds to scan https://www.googletagmanager.com/gtag/js?id=G-MTKGWZ28E4 application/javascript; charset=UTF-8 344100
78173582 [ZAP-PassiveScan-8] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://connect.facebook.net/en_US/fbevents.js application/x-javascript; charset=utf-8 234260
78179114 [ZAP-PassiveScan-4] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://googleads.g.doubleclick.net/pagead/viewthroughconversion/953414520/?random=1730373038776&cv=11&fst=1730373038776&bg=ffffff&guid=ON&async=1&gtm=45be4as0v9172277568za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101533421~101823848~101878899~101878944~101925629&u_w=1920&u_h=1080&url=https%3A%2F%2Fwww.bell.ca%2FBell-bundles%2FInternet-Mobility&hn=www.googleadservices.com&frm=0&tiba=Bundles%20%7C%20Internet%20%26%20Mobility%20%7C%20Bell%20Canada&npa=0&pscdl=noapi&auid=1298872184.1730373035&fdr=QA&data=event%3Dgtag.config&rfmt=3&fmt=4 text/javascript; charset=UTF-8 5354
78179256 [ZAP-PassiveScan-8] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://www.googletagmanager.com/static/service_worker/4al0/sw.js?origin=https%3A%2F%2Fwww.bell.ca text/javascript 7076
78180880 [ZAP-PassiveScan-1] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 10 seconds to scan https://www.bell.ca/Styles/media/Shared/js/HowtoBuy.js?v=1.0.9 application/javascript 192214
78180911 [ZAP-PassiveScan-5] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 9 seconds to scan https://www.gstatic.com/recaptcha/releases/lqsTZ5beIbCkK4uGEGv9JmUR/recaptcha__en.js text/javascript 557225
78180911 [ZAP-PassiveScan-6] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 9 seconds to scan https://www.gstatic.com/recaptcha/releases/lqsTZ5beIbCkK4uGEGv9JmUR/recaptcha__en.js text/javascript 557225
78180933 [ZAP-PassiveScan-3] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 8 seconds to scan https://www.gstatic.com/recaptcha/releases/lqsTZ5beIbCkK4uGEGv9JmUR/recaptcha__en.js text/javascript 557225

New
78022884 [ZAP-PassiveScan-7] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 9 seconds to scan https://www.bell.ca/Bell-bundles/Internet-Mobility text/html; charset=UTF-8 961318
78034777 [ZAP-PassiveScan-4] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 10 seconds to scan https://www.bell.ca/eShop/Qualification/HowtoBuyInternet?gigabitPreFlow=&shopQualModal=true&resPath=%2FBRSeShop%2Fqualification%2Fcentral_shop_internet&returnUrl=https%3A%2F%2Fwww.bell.ca%2FBell-bundles%2FInternet-Mobility&framework=brf text/html; charset=UTF-8 294957
78058621 [ZAP-IO-Server-1-32] INFO  org.zaproxy.zap.extension.websocket.WebSocketProxy - collection.decibelinsight.net:443 (#5) is excluded from storage & UI!
78059381 [ZAP-PassiveScan-5] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 7 seconds to scan https://www.bell.ca/Bell-bundles/Internet-Mobility text/html; charset=UTF-8 961302
78070658 [ZAP-PassiveScan-7] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 6 seconds to scan https://www.bell.ca/Styles/BRF/content/js/eshop/QualificationCommon.js application/javascript 14045
78071073 [ZAP-PassiveScan-3] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://www.clarity.ms/s/0.7.49/clarity.js application/javascript;charset=utf-8 65959
78072525 [ZAP-PassiveScan-4] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://googleads.g.doubleclick.net/pagead/viewthroughconversion/953414520/?random=1730372936537&cv=11&fst=1730372936537&bg=ffffff&guid=ON&async=1&gtm=45be4as0v9172277568za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101533422~101823848~101878899~101878944~101925629&u_w=1920&u_h=1080&url=https%3A%2F%2Fwww.bell.ca%2FBell-bundles%2FInternet-Mobility&hn=www.googleadservices.com&frm=0&tiba=Bundles%20%7C%20Internet%20%26%20Mobility%20%7C%20Bell%20Canada&npa=0&pscdl=noapi&auid=520820797.1730372932&fdr=QA&data=event%3Dgtag.config&rfmt=3&fmt=4 text/javascript; charset=UTF-8 5354
78073935 [ZAP-PassiveScan-5] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 11 seconds to scan https://www.bell.ca/eShop/Qualification/HowtoBuyInternet?gigabitPreFlow=&shopQualModal=true&resPath=%2FBRSeShop%2Fqualification%2Fcentral_shop_internet&returnUrl=https%3A%2F%2Fwww.bell.ca%2FBell-bundles%2FInternet-Mobility&framework=brf text/html; charset=UTF-8 294957
78074004 [ZAP-PassiveScan-2] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 9 seconds to scan https://www.bell.ca/eShop/Qualification/HowtoBuyInternet?gigabitPreFlow=&shopQualModal=true&resPath=%2FBRSeShop%2Fqualification%2Fcentral_bundle&returnURL=https%3A%2F%2Fwww.bell.ca%2FBell-bundles%2FInternet-Mobility&framework=brf text/html; charset=UTF-8 280536

New after pre-check

78607448 [ZAP-IO-Server-1-56] INFO  org.zaproxy.zap.extension.websocket.WebSocketProxy - collection.decibelinsight.net:443 (#7) is excluded from storage & UI!
78608202 [ZAP-PassiveScan-6] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 7 seconds to scan https://www.bell.ca/Bell-bundles/Internet-Mobility text/html; charset=UTF-8 961304
78621906 [ZAP-PassiveScan-4] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 9 seconds to scan https://www.bell.ca/eShop/Qualification/HowtoBuyInternet?gigabitPreFlow=&shopQualModal=true&resPath=%2FBRSeShop%2Fqualification%2Fcentral_shop_internet&returnUrl=https%3A%2F%2Fwww.bell.ca%2FBell-bundles%2FInternet-Mobility&framework=brf text/html; charset=UTF-8 294957

I'm not sure how to add a test based on that? 🤷

@kingthorin kingthorin force-pushed the sus-comm-fp branch 3 times, most recently from 243e6d1 to 0b69de5 Compare October 31, 2024 11:28
@thc202
Copy link
Member

thc202 commented Oct 31, 2024

How are you running the tests?

@kingthorin
Copy link
Member Author

That was just browsing with only the one rule enabled. Opening a new browser form ZAP after re-installing different versions of the add-on.

@kingthorin
Copy link
Member Author

Deconflicted

@kingthorin kingthorin force-pushed the sus-comm-fp branch 2 times, most recently from 5991c88 to b84f2a4 Compare November 17, 2024 13:40
@kingthorin
Copy link
Member Author

Now also skips font requests:

169870806 [ZAP-PassiveScan-5] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://www.bell.ca/styles/media/Mobility/css/fonts/shop-icons.woff2 text/html; charset=utf-8 190704
169871023 [ZAP-PassiveScan-4] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://www.bell.ca/styles/media/Mobility/css/fonts/bellslim_black-webfont.woff2 text/html; charset=utf-8 190704
169871096 [ZAP-PassiveScan-7] WARN  org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule Information Disclosure - Suspicious Comments took 5 seconds to scan https://www.bell.ca/styles/media/Mobility/css/fonts/shop-icons.woff text/html; charset=utf-8 190702

@kingthorin kingthorin force-pushed the sus-comm-fp branch 4 times, most recently from 0a3b163 to 1d75446 Compare November 17, 2024 13:46
- CHANGELOG > Added fix note.
- InformationDisclosureSuspiciousCommentsScanRule > Updated handling to
target comments in JavaScript more specifically & skip font requests.
- InformationDisclosureSuspiciousCommentsScanRuleUnitTest > Updated and
added tests.
- Messages.properties > Updated to detail/report the findings more
specifically based on the new behavior.

Signed-off-by: kingthorin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 participants