Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ascanrules: status code heuristic for sqli to reduce false positives #5976

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

FiveOFive
Copy link
Contributor

Overview

Fixes sql injection false positives zaproxy/zaproxy#8652 and zaproxy/zaproxy#8653. The short summary is that the current response comparison logic just checks if the response bodies are the same or different. It's unaware of the response status codes. This change includes the status code as a heuristic when comparing responses for expression based and boolean based tests. The have to be the same status code for a sql injection alert to be raised.

Note that this potentially adds false negatives. It's possible that the different status code is a result of the confirm sql payload being evaluated. However, I've looked at over 50 different websites with alerts from this case and none of them were a real vulnerability. I think it's pretty unusual that the first sql payload is evaluated fine and the second confirm payload results in a totally different status code. Not impossible, but I think it has a very high noise to real finding ratio.

Some alternatives:

  • set a lower alert confidence if there was a status code mismatch
  • handle different error codes differently e.g. a 429 is really unlikely to be a sql injection but a 5xx is a little more suspicious

This change is built on top of [TODO]. Once that one is done I'll rebase, squash, and sign-off the resulting commit.

Related Issues

Specify any related issues or pull requests by linking to them.

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

For more details, please refer to the developer rules and guidelines.

@psiinon

This comment has been minimized.

@thc202 thc202 changed the title ascanrules: status code heurstic for sqli to reduce false positives ascanrules: status code heuristic for sqli to reduce false positives Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants