-
-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ascanrules: Path Traversal add details for dir match Alerts & reduce FPs #5824
base: main
Are you sure you want to change the base?
Conversation
This does not seem to address the FP reported in the referenced issue. |
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java
Outdated
Show resolved
Hide resolved
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java
Outdated
Show resolved
Hide resolved
...nrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties
Outdated
Show resolved
Hide resolved
No it simply provides further context. IMHO it will be rare for all 5 of the nix matches to happen. Do you want me to also exclude JS/CSS/Binary'ish because that's an option too which I could add to this PR. |
Not sure how rare is since JS chunks/libs tend to have lot of data, but we should not close the issue if it does not address it. That would be better to address the issue (though the evidence match done beforehand should have caught the reported case, if actually static content). |
Okay I'll make further changes. |
This rule doesn't seem to pre-check the response. I'll tackle that as well. |
851c5c1
to
21096ab
Compare
Addressed review, further pre-checks as discussed still coming 😁 |
6cdb014
to
a9c8485
Compare
Now w/ pre-checks. |
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java
Outdated
Show resolved
Hide resolved
- CHANGELOG > Added change note. - Message.properties > Added key/value pair supporting the new Alert details. - PathTraversalScanRule > Updated to include Other Info on Alerts when applicable, and pre-check the original message response to reduce false positives. - PathTraversalScanRuleUnitTest > Updated to assert Other Info or lack thereof where applicable, also assure appropriate skipping due to pre-conditions. Signed-off-by: kingthorin <[email protected]>
a9c8485
to
aa5816d
Compare
Overview
Related Issues
Checklist
./gradlew spotlessApply
for code formatting