Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ascanrules: refactor expression and boolean based sqli to use ComparableResponse #5974

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

FiveOFive
Copy link
Contributor

Overview

Start using ComparableResponse for expression based and boolean based sql injection response comparisons. Use a custom comparison function that is very close to the previous comparison*. The reasoning for this is to not couple this refactor to new logic that risks introducing false positives/negatives. I'll send separate PRs for adding some heuristics that handle existing false positive cases that I know of and it should be easy for any ZAP contributor to make further improvements to the heuristics.

This change is on top of #5867 and #5797 which add unit tests to ensure the existing behavior is not broken. After those are merged, I'll rebase, squash, and signoff the final commit here.

  • the previous logic is checking the response bodies for an exact match either stripped of input parameters or unstripped. As far as I can tell, only stripped needs to be checked. The strip function is deterministic so if the unstripped match, then the stripped have to match too. i.e. if unstripped1 == unstripped2 then strip(unstripped1, param1, param2) == strip(unstripped2, param1, param2) the 3 inputs to the strip function are exactly the same in both cases so the results must be the same too.

Related Issues

zaproxy/zaproxy#8652

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

For more details, please refer to the developer rules and guidelines.

@FiveOFive FiveOFive changed the title Comparable response sqli ascanrules: refactor expression and boolean based sqli to use ComparableResponse Dec 3, 2024
@psiinon

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants