zaproxy/zaproxy

New common getExampleAlerts() method

Open

#6,119 opened on Aug 13, 2020

View on GitHub
 (34 comments) (0 reactions) (0 assignees)Java (2,174 forks)batch import
Component-DocsHacktoberFestIdealFirstBugUsabilityadd-onbacklogenhancementgood first issuetracker

Repository metrics

Stars
 (11,922 stars)
PR merge metrics
 (Avg merge 2d 14h) (12 merged PRs in 30d)

Description

This is for all scan rules - active, passive, http, websocket, future ones :) The method is proposed to be a 'defacto standard' for now: List<Alert> getExampleAlerts()

It will be accessed by the generate_alert_pages.js script using introspection. This script generates the https://www.zaproxy.org/docs/alerts/ pages.

At the moment the script can only cope with one alert per add-on, while many addons generate several.

Ease of maintenance is key - this new method should call any suitable existing methods - if they don't exist the new ones could be created.

Release & beta rules with little to no info which should implement this new method asap:

The plan is to only expose the information currently on the alert pages, so URLs can be https://www.example.com

Any new generic text created for these alerts should be i18n'd

State ID Name Class
PR#4242 0 Directory Browsing DirectoryBrowsingScanRule
PR#4242 2 Private IP Disclosure InfoPrivateAddressDisclosureScanRule
PR#4242 3 Session ID in URL Rewrite InfoSessionIdUrlScanRule
6 Path Traversal PathTraversalScanRule
7 Remote File Inclusion RemoteFileIncludeScanRule
PR#4567 41 Source Code Disclosure - Git SourceCodeDisclosureGitScanRule
✅ zaproxy/zap-extensions#5205 42 Source Code Disclosure - SVN SourceCodeDisclosureSvnScanRule
PR#4702 43 Source Code Disclosure - File Inclusion SourceCodeDisclosureFileInclusionScanRule
✅ zaproxy/zap-extensions#4540 10009 In Page Banner Information Leak InPageBannerInfoLeakScanRule
10010 Cookie No HttpOnly Flag CookieHttpOnlyScanRule
10011 Cookie Without Secure Flag CookieSecureFlagScanRule
PR#4706 10015 Re-examine Cache-control Directives CacheControlScanRule
✅ zaproxy/zap-extensions#4547 10017 Cross-Domain JavaScript Source File Inclusion CrossDomainScriptInclusionScanRule
✅ zaproxy/zap-extensions#5186 10019 Content-Type Header Missing ContentTypeMissingScanRule
10020 Anti-clickjacking Header AntiClickjackingScanRule
✅ zaproxy/zap-extensions#5186 10021 X-Content-Type-Options Header Missing XContentTypeOptionsScanRule
✅ zaproxy/zap-extensions#5205 10023 Information Disclosure - Debug Error Messages InformationDisclosureDebugErrorsScanRule
✅ zaproxy/zap-extensions#5205 10024 Information Disclosure - Sensitive Information in URL InformationDisclosureInUrlScanRule
✅ zaproxy/zap-extensions#5205 10025 Information Disclosure - Sensitive Information in HTTP Referrer Header InformationDisclosureReferrerScanRule
✅ zaproxy/zap-extensions#4540 10026 HTTP Parameter Override ServletParameterPollutionScanRule
✅ zaproxy/zap-extensions#4640 10027 Information Disclosure - Suspicious Comments InformationDisclosureSuspiciousCommentsScanRule
✅ zaproxy/zap-extensions#5205 10028 Open Redirect UserControlledOpenRedirectScanRule
✅ zaproxy/zap-extensions#5205 10029 Cookie Poisoning UserControlledCookieScanRule
✅ zaproxy/zap-extensions#5205 10030 User Controllable Charset UserControlledCharsetScanRule
✅ zaproxy/zap-extensions#5205 10031 User Controllable HTML Element Attribute (Potential XSS) UserControlledHTMLAttributesScanRule
10032 Viewstate ViewstateScanRule
✅ zaproxy/zap-extensions#4537 10033 Directory Browsing DirectoryBrowsingScanRule
✅ zaproxy/zap-extensions#5205 10034 Heartbleed OpenSSL Vulnerability (Indicative) HeartBleedScanRule
✅ zaproxy/zap-extensions#5205 10035 Strict-Transport-Security Header StrictTransportSecurityScanRule
PR#4097 10036 HTTP Server Response Header ServerHeaderInfoLeakScanRule
✅ zaproxy/zap-extensions#5205 10037 Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) XPoweredByHeaderInfoLeakScanRule
PR#4338 10038 Content Security Policy (CSP) Header Not Set ContentSecurityPolicyMissingScanRule
PR#4677 10039 X-Backend-Server Header Information Leak XBackendServerInformationLeakScanRule
✅ zaproxy/zap-extensions#5220 10040 Secure Pages Include Mixed Content MixedContentScanRule
✅ zaproxy/zap-extensions#5220 10041 HTTP to HTTPS Insecure Transition in Form Post InsecureFormLoadScanRule
✅ zaproxy/zap-extensions#5220 10042 HTTPS to HTTP Insecure Transition in Form Post InsecureFormPostScanRule
✅ zaproxy/zap-extensions#5220 10043 User Controllable JavaScript Event (XSS) UserControlledJavascriptEventScanRule
PR#5153 10044 Big Redirect Detected (Potential Sensitive Information Leak) BigRedirectsScanRule
✅ zaproxy/zap-extensions#5220 10045 Source Code Disclosure - /WEB-INF folder SourceCodeDisclosureWebInfScanRule
✅ zaproxy/zap-extensions#5220 10047 HTTPS Content Available via HTTP HttpsAsHttpScanRule
✅ zaproxy/zap-extensions#5242 10048 Remote Code Execution - Shell Shock ShellShockScanRule
PR#4097 10049 Content Cacheability CacheableScanRule
✅ zaproxy/zap-extensions#5242 10050 Retrieved from Cache RetrievedFromCacheScanRule
✅ zaproxy/zap-extensions#5329 10051 Relative Path Confusion - AB RelativePathConfusionScanRule
PR#4705 10052 X-ChromeLogger-Data (XCOLD) Header Information Leak XChromeLoggerDataInfoLeakScanRule
✅ zaproxy/zap-extensions#5220 10054 Cookie without SameSite Attribute CookieSameSiteScanRule
10055 CSP ContentSecurityPolicyScanRule
✅ zaproxy/zap-extensions#5220 10056 X-Debug-Token Information Leak XDebugTokenScanRule
10057 Username Hash Found UsernameIdorScanRule
✅ zaproxy/zap-extensions#5181 10058 GET for POST GetForPostScanRule
PR#4625 10061 X-AspNet-Version Response Header XAspNetVersionScanRule
10062 PII Disclosure PiiScanRule
10063 Permissions Policy Header Not Set PermissionsPolicyScanRule
✅ zaproxy/zap-extensions#4502 10094 Base64 Disclosure Base64Disclosure
✅ zaproxy/zap-extensions#5251 10095 Backup File Disclosure BackupFileDisclosureScanRule
✅ zaproxy/zap-extensions#5251 10096 Timestamp Disclosure TimestampDisclosureScanRule
✅ zaproxy/zap-extensions#5251 10097 Hash Disclosure HashDisclosureScanRule
✅ zaproxy/zap-extensions#5251 10098 Cross-Domain Misconfiguration CrossDomainMisconfigurationScanRule
✅ zaproxy/zap-extensions#4502 10099 Source Code Disclosure SourceCodeDisclosureScanRule
PR#4839 10101 Access Control Issue - Improper Authentication AccessControlAlertsProcessor
PR#4839 10102 Access Control Issue - Improper Authorization AccessControlAlertsProcessor
10104 User Agent Fuzzer UserAgentScanRule
✅ zaproxy/zap-extensions#5261 10105 Weak Authentication Method - P InsecureAuthenticationScanRule
PR#4752 10106 HTTP Only Site HttpOnlySiteScanRule
✅ zaproxy/zap-extensions#5291 10107 Httpoxy - Proxy Header Misuse - AB HttPoxyScanRule
✅ zaproxy/zap-extensions#5261 10108 Reverse Tabnabbing - P LinkTargetScanRule
✅ zaproxy/zap-extensions#5261 10109 Modern Web Application - P ModernAppDetectionScanRule
10110 Dangerous JS Functions JsFunctionScanRule
✅ zaproxy/zap-extensions#5261 10202 Absence of Anti-CSRF Tokens - P CsrfCountermeasuresScanRule
✅ zaproxy/zap-extensions#5291 20012 Anti-CSRF Tokens Check - AB CsrfTokenScanRule
✅ zaproxy/zap-extensions#5291 20014 HTTP Parameter Pollution - AB HttpParameterPollutionScanRule
✅ zaproxy/zap-extensions#5181 20015 Heartbleed OpenSSL Vulnerability HeartBleedActiveScanRule
✅ zaproxy/zap-extensions#5291 20016 Cross-Domain Misconfiguration - AB CrossDomainScanRule
✅ zaproxy/zap-extensions#5335 20017 Source Code Disclosure - CVE-2012-1823 - A SourceCodeDisclosureCve20121823ScanRule
✅ zaproxy/zap-extensions#5335 20018 Remote Code Execution - CVE-2012-1823 - A RemoteCodeExecutionCve20121823ScanRule
20019 External Redirect ExternalRedirectScanRule
30001 Buffer Overflow BufferOverflowScanRule
PR#4623 30002 Format String Error FormatStringScanRule
✅ zaproxy/zap-extensions#5329 30003 Integer Overflow Error - AB IntegerOverflowScanRule
✅ zaproxy/zap-extensions#5181 40003 CRLF Injection CrlfInjectionScanRule
PR#4624 40008 Parameter Tampering ParameterTamperScanRule
✅ zaproxy/zap-extensions#5335 40009 Server Side Include - A ServerSideIncludeScanRule
✅ zaproxy/zap-extensions#5335 40012 Cross Site Scripting (Reflected) - A CrossSiteScriptingScanRule
PR#7059 40013 Session Fixation - AB SessionFixationScanRule
PR#5660 40014 Cross Site Scripting (Persistent) - A PersistentXssScanRule
PR#7288 40015 LDAP Injection - AA LdapInjectionScanRule
🚫 N/A 40016 Cross Site Scripting (Persistent) - Prime - A PersistentXssPrimeScanRule
🚫 N/A 40017 Cross Site Scripting (Persistent) - Spider - A PersistentXssSpiderScanRule
40018 SQL Injection - A SqlInjectionScanRule
✅ zaproxy/zap-extensions#7279 40019 SQL Injection - MySQL - A SqlInjectionMySqlScanRule
✅ zaproxy/zap-extensions#7279 40020 SQL Injection - Hypersonic SQL - A SqlInjectionHypersonicScanRule
✅ zaproxy/zap-extensions#7279 40021 SQL Injection - Oracle - A SqlInjectionOracleScanRule
✅ zaproxy/zap-extensions#7279 40022 SQL Injection - PostgreSQL - A SqlInjectionPostgreScanRule
PR#7249 40023 Possible Username Enumeration - AB UsernameEnumerationScanRule
PR#7224 40024 SQL Injection - SQLite - A SqlInjectionSqLiteScanRule
✅ zaproxy/zaproxu#7310 40025 Proxy Disclosure - AB ProxyDisclosureScanRule
✅ zaproxy/zap-extensions#7279 40027 SQL Injection - MsSQL - A SqlInjectionMsSqlScanRule
✅ zaproxy/zap-extensions#5181 40028 ELMAH Information Leak ElmahScanRule
✅ zaproxy/zap-extensions#5181 40029 Trace.axd Information Leak TraceAxdScanRule
✅ zaproxy/zap-extensions#5181 40032 .htaccess Information Leak HtAccessScanRule
40033 NoSQL Injection - MongoDB - AA MongoDbInjectionScanRule
✅ zaproxy/zap-extensions#5181 40034 .env Information Leak EnvFileScanRule
40035 Hidden File Finder HiddenFilesScanRule
40038 Bypassing 403 ForbiddenBypassScanRule
PR#6809 40039 Web Cache Deception - AA WebCacheDeceptionScanRule
40040 CORS Header CorsScanRule
PR#5661 40042 Spring Actuator Information Leak - A SpringActuatorScanRule
40043 Log4Shell Log4ShellScanRule
40044 Exponential Entity Expansion (Billion Laughs Attack) ExponentialEntityExpansionScanRule
40045 Spring4Shell Spring4ShellScanRule
PR#5688 90001 Insecure JSF ViewState - P InsecureJsfViewStatePassiveScanRule
✅ zaproxy/zap-extensions#4540 90002 Java Serialization Object JsoScanRule
✅ zaproxy/zap-extensions#4540 90003 Sub Resource Integrity Attribute Missing SubResourceIntegrityAttributeScanRule
✅ zaproxy/zap-extensions#4502 90004 Insufficient Site Isolation Against Spectre Vulnerability SiteIsolationScanRule
✅ zaproxy/zap-extensions#6544 90011 Charset Mismatch - P CharsetMismatchScanRule
✅ zaproxy/zap-extensions#5706 90017 XSLT Injection - A XsltInjectionScanRule
90019 Server Side Code Injection CodeInjectionScanRule
✅ zaproxy/zap-extensions#5181 90020 Remote OS Command Injection CommandInjectionScanRule
✅ zaproxy/zap-extensions#5706 90021 XPath Injection - A XpathInjectionScanRule
90022 Application Error Disclosure ApplicationErrorScanRule
✅ zaproxy/zap-extensions#5760 90023 XML External Entity Attack - A XxeScanRule
✅ zaproxy/zap-extensions#5181 90024 Generic Padding Oracle PaddingOracleScanRule
✅ zaproxy/zap-extensions#5626 90025 Expression Language Injection - AB ExpressionLanguageInjectionScanRule
✅ zaproxy/zap-extensions#5626 90027 Cookie Slack Detector - AB SlackerCookieScanRule
PR#6871 90028 Insecure HTTP Method - AB InsecureHttpMethodScanRule
PR#4825 90033 Loosely Scoped Cookie CookieLooselyScopedScanRule
90034 Cloud Metadata Potentially Exposed CloudMetadataScanRule
✅ zaproxy/zap-extensions#5499 90035 Server Side Template Injection - A SstiScanRule
✅ zaproxy/zap-extensions#5499 90036 Server Side Template Injection (Blind) - A SstiBlindScanRule

Contributor guide