diff --git a/addOns/ascanrulesAlpha/CHANGELOG.md b/addOns/ascanrulesAlpha/CHANGELOG.md index 33b2b143f89..6db8652b366 100644 --- a/addOns/ascanrulesAlpha/CHANGELOG.md +++ b/addOns/ascanrulesAlpha/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Removed +- The two example active scan rules were removed from this add-on and are now part of: https://github.com/zaproxy/addon-java ## [51] - 2025-09-18 ### Changed diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java deleted file mode 100644 index 66b168905a0..00000000000 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java +++ /dev/null @@ -1,255 +0,0 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2014 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.zaproxy.zap.extension.ascanrulesAlpha; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileReader; -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.parosproxy.paros.Constant; -import org.parosproxy.paros.core.scanner.AbstractAppParamPlugin; -import org.parosproxy.paros.core.scanner.Alert; -import org.parosproxy.paros.core.scanner.Category; -import org.parosproxy.paros.core.scanner.Plugin; -import org.parosproxy.paros.network.HttpBody; -import org.parosproxy.paros.network.HttpMessage; -import org.zaproxy.zap.model.Tech; -import org.zaproxy.zap.model.TechSet; - -/** - * An example active scan rule, for more details see - * https://www.zaproxy.org/blog/2014-04-30-hacking-zap-4-active-scan-rules/ - * - * @author psiinon - */ -public class ExampleFileActiveScanRule extends AbstractAppParamPlugin - implements CommonActiveScanRuleInfo { - - /** Prefix for internationalized messages used by this rule */ - private static final String MESSAGE_PREFIX = "ascanalpha.examplefile."; - - private static final String exampleAscanFile = "txt/example-ascan-file.txt"; - private List strings = null; - private static final Logger LOGGER = LogManager.getLogger(ExampleFileActiveScanRule.class); - - @Override - public int getId() { - /* - * This should be unique across all active and passive rules. - * The master list is https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md - */ - return 60101; - } - - @Override - public String getName() { - return Constant.messages.getString(MESSAGE_PREFIX + "name"); - } - - @Override - public boolean targets( - TechSet technologies) { // This method allows the programmer or user to restrict when a - // scanner is run based on the technologies selected. For example, to restrict the scanner - // to run just when - // C language is selected - return technologies.includes(Tech.C); - } - - @Override - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private static String getOtherInfo() { - return Constant.messages.getString(MESSAGE_PREFIX + "other"); - } - - @Override - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - @Override - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - @Override - public int getCategory() { - return Category.MISC; - } - - /* - * This method is called by the active scanner for each GET and POST parameter for every page - * @see org.parosproxy.paros.core.scanner.AbstractAppParamPlugin#scan(org.parosproxy.paros.network.HttpMessage, java.lang.String, java.lang.String) - */ - @Override - public void scan(HttpMessage msg, String param, String value) { - try { - if (!Constant.isDevBuild()) { - // Only run this example scan rule in dev mode - // Uncomment locally if you want to see these alerts in non dev mode ;) - return; - } - - if (this.strings == null) { - this.strings = loadFile(exampleAscanFile); - } - // This is where you change the 'good' request to attack the application - // You can make multiple requests if needed - int numAttacks = 0; - - switch (this.getAttackStrength()) { - case LOW: - numAttacks = 6; - break; - case MEDIUM: - numAttacks = 12; - break; - case HIGH: - numAttacks = 24; - break; - case INSANE: - numAttacks = 96; - break; - default: - break; - } - - for (int i = 0; i < numAttacks; i++) { - if (this.isStop()) { - // User has stopped the scan - break; - } - if (i >= this.strings.size()) { - // run out of attack strings - break; - } - String attack = this.strings.get(i); - // Always use getNewMsg() for each new request - HttpMessage testMsg = getNewMsg(); - setParameter(testMsg, param, attack); - sendAndReceive(testMsg); - - // This is where you detect potential vulnerabilities in the response - String evidence; - if ((evidence = doesResponseContainString(msg.getResponseBody(), attack)) != null) { - // Raise an alert - createAlert(param, attack, evidence).setMessage(testMsg).raise(); - return; - } - } - - } catch (IOException e) { - LOGGER.error(e.getMessage(), e); - } - } - - private String doesResponseContainString(HttpBody body, String str) { - String sBody; - if (Plugin.AlertThreshold.HIGH.equals(this.getAlertThreshold())) { - // For a high threshold perform a case exact check - sBody = body.toString(); - } else { - // For all other thresholds perform a case ignore check - sBody = body.toString().toLowerCase(); - } - - if (!Plugin.AlertThreshold.HIGH.equals(this.getAlertThreshold())) { - // Use case ignore unless a high threshold has been specified - str = str.toLowerCase(); - } - int start = sBody.indexOf(str); - if (start >= 0) { - // Return the original (case exact) string so we can match it in the response - return body.toString().substring(start, start + str.length()); - } - return null; - } - - private AlertBuilder createAlert(String param, String attack, String evidence) { - return newAlert() - .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setParam(param) - .setAttack(attack) - .setOtherInfo(getOtherInfo()) - .setEvidence(evidence); - } - - private static List loadFile(String file) { - /* - * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory - */ - List strings = new ArrayList<>(); - BufferedReader reader = null; - File f = new File(Constant.getZapHome() + File.separator + file); - if (!f.exists()) { - LOGGER.error("No such file: {}", f.getAbsolutePath()); - return strings; - } - try { - String line; - reader = new BufferedReader(new FileReader(f)); - while ((line = reader.readLine()) != null) { - if (!line.startsWith("#") && line.length() > 0) { - strings.add(line); - } - } - } catch (IOException e) { - LOGGER.error( - "Error on opening/reading example error file. Error: {}", e.getMessage(), e); - } finally { - if (reader != null) { - try { - reader.close(); - } catch (IOException e) { - LOGGER.debug("Error on closing the file reader. Error: {}", e.getMessage(), e); - } - } - } - return strings; - } - - @Override - public int getRisk() { - return Alert.RISK_HIGH; - } - - @Override - public int getCweId() { - // The CWE id - return 0; - } - - @Override - public int getWascId() { - // The WASC ID - return 0; - } - - @Override - public List getExampleAlerts() { - return List.of(createAlert("foo", " -'';!--"=&{()} - - - - - - - -SRC= - - - - - - - - -'"--> - - +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- - - - - -PT SRC="http://ha.ckers.org/xss.js"> diff --git a/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRuleUnitTest.java b/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRuleUnitTest.java deleted file mode 100644 index 3071727de9c..00000000000 --- a/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRuleUnitTest.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.zaproxy.zap.extension.ascanrulesAlpha; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.hasSize; -import static org.hamcrest.Matchers.is; - -import java.util.List; -import org.junit.jupiter.api.Test; -import org.parosproxy.paros.core.scanner.Alert; - -class ExampleFileActiveScanRuleUnitTest extends ActiveScannerTest { - - @Override - protected ExampleFileActiveScanRule createScanner() { - return new ExampleFileActiveScanRule(); - } - - @Test - void shouldHaveExpectedExample() { - // Given / When - List alerts = rule.getExampleAlerts(); - // Then - assertThat(alerts, hasSize(1)); - Alert alert = alerts.get(0); - assertThat(alert.getParam(), is(equalTo("foo"))); - } -} diff --git a/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRuleUnitTest.java b/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRuleUnitTest.java deleted file mode 100644 index 579513fc7d9..00000000000 --- a/addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRuleUnitTest.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.zaproxy.zap.extension.ascanrulesAlpha; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.hasSize; -import static org.hamcrest.Matchers.is; - -import java.util.List; -import org.junit.jupiter.api.Test; -import org.parosproxy.paros.core.scanner.Alert; - -class ExampleSimpleActiveScanRuleUnitTest extends ActiveScannerTest { - - @Override - protected ExampleSimpleActiveScanRule createScanner() { - return new ExampleSimpleActiveScanRule(); - } - - @Test - void shouldHaveExpectedExample() { - // Given / When - List alerts = rule.getExampleAlerts(); - // Then - assertThat(alerts, hasSize(1)); - Alert alert = alerts.get(0); - assertThat(alert.getParam(), is(equalTo("foo"))); - } -} diff --git a/addOns/pscanrulesAlpha/CHANGELOG.md b/addOns/pscanrulesAlpha/CHANGELOG.md index 820b207a7bb..6c5b6996a11 100644 --- a/addOns/pscanrulesAlpha/CHANGELOG.md +++ b/addOns/pscanrulesAlpha/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Removed +- The two example passive scan rules were removed from this add-on and are now part of: https://github.com/zaproxy/addon-java ## [46] - 2025-09-18 ### Changed diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java deleted file mode 100644 index b933eef3791..00000000000 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java +++ /dev/null @@ -1,164 +0,0 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2014 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.zaproxy.zap.extension.pscanrulesAlpha; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileReader; -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; -import net.htmlparser.jericho.Source; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.parosproxy.paros.Constant; -import org.parosproxy.paros.core.scanner.Alert; -import org.parosproxy.paros.core.scanner.Plugin; -import org.parosproxy.paros.network.HttpBody; -import org.parosproxy.paros.network.HttpMessage; -import org.zaproxy.zap.extension.pscan.PluginPassiveScanner; - -/** - * An example passive scan rule, for more details see - * https://www.zaproxy.org/blog/2014-04-03-hacking-zap-3-passive-scan-rules/ - * - * @author psiinon - */ -public class ExampleFilePassiveScanRule extends PluginPassiveScanner { - - /** Prefix for internationalized messages used by this rule */ - private static final String MESSAGE_PREFIX = "pscanalpha.examplefile."; - - private static final String examplePscanFile = "txt/example-pscan-file.txt"; - private static final Logger LOGGER = LogManager.getLogger(ExampleFilePassiveScanRule.class); - private List strings = null; - - @Override - public void scanHttpRequestSend(HttpMessage msg, int id) { - // Only checking the response for this example - } - - @Override - public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { - if (!Constant.isDevBuild()) { - // Only run this example scan rule in dev mode - // Uncomment locally if you want to see these alerts in non dev mode ;) - return; - } - if (msg.getResponseBody().length() > 0 && msg.getResponseHeader().isText()) { - String parameter; - if ((parameter = doesResponseContainString(msg.getResponseBody())) != null) { - this.createAlert(parameter).raise(); - } - } - } - - private AlertBuilder createAlert(String evidence) { - return newAlert() - .setRisk(Alert.RISK_LOW) - .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) - .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "other")) - .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) - .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) - .setEvidence(evidence) - .setWascId(13); - } - - @Override - public List getExampleAlerts() { - return List.of(createAlert("").build()); - } - - private String doesResponseContainString(HttpBody body) { - if (this.strings == null) { - this.strings = loadFile(examplePscanFile); - } - String sBody; - if (Plugin.AlertThreshold.HIGH.equals(this.getAlertThreshold())) { - // For a high threshold perform a case exact check - sBody = body.toString(); - } else { - // For all other thresholds perform a case ignore check - sBody = body.toString().toLowerCase(); - } - - for (String str : this.strings) { - if (!Plugin.AlertThreshold.HIGH.equals(this.getAlertThreshold())) { - // Use case ignore unless a high threshold has been specified - str = str.toLowerCase(); - } - int start = sBody.indexOf(str); - if (start >= 0) { - // Return the original (case exact) string so we can match it in the response - return body.toString().substring(start, start + str.length()); - } - } - return null; - } - - private static List loadFile(String file) { - /* - * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory - */ - List strings = new ArrayList<>(); - BufferedReader reader = null; - File f = new File(Constant.getZapHome() + File.separator + file); - if (!f.exists()) { - LOGGER.error("No such file: {}", f.getAbsolutePath()); - return strings; - } - try { - String line; - reader = new BufferedReader(new FileReader(f)); - while ((line = reader.readLine()) != null) { - if (!line.startsWith("#") && line.length() > 0) { - strings.add(line); - } - } - } catch (IOException e) { - LOGGER.error( - "Error on opening/reading example error file. Error: {}", e.getMessage(), e); - } finally { - if (reader != null) { - try { - reader.close(); - } catch (IOException e) { - LOGGER.debug("Error on closing the file reader. Error: {}", e.getMessage(), e); - } - } - } - return strings; - } - - @Override - public int getPluginId() { - /* - * This should be unique across all active and passive rules. - * The master list is https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md - */ - return 60001; - } - - @Override - public String getName() { - return Constant.messages.getString(MESSAGE_PREFIX + "name"); - } -} diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleSimplePassiveScanRule.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleSimplePassiveScanRule.java deleted file mode 100644 index aecda1838e7..00000000000 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleSimplePassiveScanRule.java +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2014 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.zaproxy.zap.extension.pscanrulesAlpha; - -import java.util.List; -import java.util.Random; -import net.htmlparser.jericho.Source; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.parosproxy.paros.Constant; -import org.parosproxy.paros.core.scanner.Alert; -import org.parosproxy.paros.network.HttpMessage; -import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerabilities; -import org.zaproxy.addon.commonlib.vulnerabilities.Vulnerability; -import org.zaproxy.zap.extension.pscan.PluginPassiveScanner; - -/** - * An example passive scan rule, for more details see - * https://www.zaproxy.org/blog/2014-04-03-hacking-zap-3-passive-scan-rules/ - * - * @author psiinon - */ -public class ExampleSimplePassiveScanRule extends PluginPassiveScanner { - - // wasc_10 is Denial of Service - well, its just an example ;) - private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_10"); - private static final Logger LOGGER = LogManager.getLogger(ExampleSimplePassiveScanRule.class); - - private Random rnd = new Random(); - - @Override - public void scanHttpRequestSend(HttpMessage msg, int id) { - // You can also detect potential vulnerabilities here, with the same caveats as below. - } - - @Override - public int getPluginId() { - /* - * This should be unique across all active and passive rules. - * The master list is https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md - */ - return 60000; - } - - @Override - public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { - if (!Constant.isDevBuild()) { - // Only run this example scan rule in dev mode - // Uncomment locally if you want to see these alerts in non dev mode ;) - return; - } - long start = System.currentTimeMillis(); - - // This is where you detect potential vulnerabilities. - // You can examine the msg or source but should not change anything - // or make any requests to the server - - // For this example we're just going to raise the alert at random! - - if (rnd.nextInt(10) == 0) { - createAlert().raise(); - } - - LOGGER.debug("\tScan of record {} took {} ms", id, System.currentTimeMillis() - start); - } - - @Override - public List getExampleAlerts() { - return List.of(createAlert().build()); - } - - private AlertBuilder createAlert() { - return newAlert() - .setRisk(Alert.RISK_MEDIUM) - .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()); - } - - @Override - public String getName() { - // Strip off the "Example Passive Scan Rule: " part if implementing a real one ;) - return "Example Passive Scan Rule: " + VULN.getName(); - } - - public String getDescription() { - return VULN.getDescription(); - } - - public String getSolution() { - return VULN.getSolution(); - } - - public String getReference() { - return VULN.getReferencesAsString(); - } -} diff --git a/addOns/pscanrulesAlpha/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesAlpha/resources/help/contents/pscanalpha.html b/addOns/pscanrulesAlpha/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesAlpha/resources/help/contents/pscanalpha.html index 4567d8f9c67..af5cbfdae49 100644 --- a/addOns/pscanrulesAlpha/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesAlpha/resources/help/contents/pscanalpha.html +++ b/addOns/pscanrulesAlpha/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesAlpha/resources/help/contents/pscanalpha.html @@ -10,12 +10,6 @@

Passive Scan Rules - Alpha

The following alpha status passive scan rules are included in this add-on: -

An example passive scan rule which loads data from a file

-This implements an example passive scan rule that loads strings from a file that the user can edit.
-For more details see: Hacking ZAP Part 3: Passive Scan Rules. -

-Latest code: ExampleFilePassiveScanRule.java -

Base64 Disclosure

  • ASP.NET ViewState Disclosure: An ASP.NET ViewState was disclosed by the application/web server
    • @@ -27,12 +21,6 @@

    Base64 Disclosure

    Latest code: Base64Disclosure.java
    Alert ID: 10094. -

    Example Passive Scan Rule: Denial of Service

    -This implements a very simple example passive scan rule.
    -For more details see: Hacking ZAP Part 3: Passive Scan Rules. -

    -Latest code: ExampleSimplePassiveScanRule.java -

    Fetch Metadata Request Headers Scan Rule

    Fetch Metadata Request headers are HTTP request headers that provide additional information about a request's origin. This additional information helps the server to implement resource isolation policy, allowing external sites to request only diff --git a/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties b/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties index acd7e27812f..90c27a47548 100644 --- a/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties +++ b/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties @@ -13,12 +13,6 @@ pscanalpha.base64disclosure.viewstatewithoutmac.soln = Ensure that all ASP.NET V pscanalpha.desc = Alpha status passive scan rules. -pscanalpha.examplefile.desc = Add more information about the vulnerability here. -pscanalpha.examplefile.name = An example passive scan rule which loads data from a file. -pscanalpha.examplefile.other = This is for information that doesn't fit in any of the other sections. -pscanalpha.examplefile.refs = https://www.zaproxy.org/blog/2014-04-03-hacking-zap-3-passive-scan-rules/ -pscanalpha.examplefile.soln = A general description of how to solve the problem. - pscanalpha.fullpathdisclosurealert.desc = The full path of files which might be sensitive has been exposed to the client. pscanalpha.fullpathdisclosurealert.name = Full Path Disclosure pscanalpha.fullpathdisclosurealert.refs = https://owasp.org/www-community/attacks/Full_Path_Disclosure