Skip to content

Commit

Permalink
Merge pull request #5526 from kingthorin/pscan-oi
Browse files Browse the repository at this point in the history
pscanrules (all): Various alert text fixes (periods and whitespace(s))
  • Loading branch information
psiinon authored Jun 27, 2024
2 parents 5e8dcd4 + 3b3dc76 commit 999929d
Show file tree
Hide file tree
Showing 13 changed files with 55 additions and 80 deletions.
4 changes: 4 additions & 0 deletions addOns/pscanrules/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,11 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Maintenance changes.

### Fixed
- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.

## [58] - 2024-05-07
### Changed
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,6 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence)
.setDescription(getDescriptionMessage())
.setOtherInfo(getExtraInfoMessage(url, formElement))
.setSolution(getSolutionMessage())
.setReference(getReferenceMessage())
.setEvidence(evidence)
.setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information
.setWascId(15); // WASC-15: Application Misconfiguration
Expand All @@ -118,10 +117,6 @@ private String getSolutionMessage() {
return Constant.messages.getString(MESSAGE_PREFIX + "soln");
}

private String getReferenceMessage() {
return Constant.messages.getString(MESSAGE_PREFIX + "refs");
}

private static String getExtraInfoMessage(String url, String formElement) {
return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,6 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence)
.setDescription(getDescriptionMessage())
.setOtherInfo(getExtraInfoMessage(url, formElement))
.setSolution(getSolutionMessage())
.setReference(getReferenceMessage())
.setEvidence(evidence)
.setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information
.setWascId(15); // WASC-15: Application Misconfiguration
Expand All @@ -115,10 +114,6 @@ public int getPluginId() {
return 10042;
}

/*
* Rule-associated messages
*/

private String getDescriptionMessage() {
return Constant.messages.getString(MESSAGE_PREFIX + "desc");
}
Expand All @@ -127,10 +122,6 @@ private String getSolutionMessage() {
return Constant.messages.getString(MESSAGE_PREFIX + "soln");
}

private String getReferenceMessage() {
return Constant.messages.getString(MESSAGE_PREFIX + "refs");
}

private static String getExtraInfoMessage(String url, String formElement) {
return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,6 @@ private AlertBuilder buildAlert(String tag, String attr, HtmlParameter param, St
.setParam(param.getName())
.setOtherInfo(getExtraInfoMessage(tag, attr, param, charset))
.setSolution(getSolutionMessage())
.setReference(getReferenceMessage())
.setCweId(20) // CWE-20: Improper Input Validation
.setWascId(20); // WASC-20: Improper Input Handling
}
Expand All @@ -226,10 +225,6 @@ private String getSolutionMessage() {
return Constant.messages.getString(MESSAGE_PREFIX + "soln");
}

private String getReferenceMessage() {
return Constant.messages.getString(MESSAGE_PREFIX + "refs");
}

private static String getExtraInfoMessage(
String tag, String attr, HtmlParameter param, String charset) {
return Constant.messages.getString(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,6 @@ private AlertBuilder createAlert(String evidence) {
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setDescription(getDescription())
.setSolution(getSolution())
.setReference(getReference())
.setEvidence(evidence)
.setCweId(200)
.setWascId(13);
Expand All @@ -93,10 +92,6 @@ private String getSolution() {
return Constant.messages.getString(MESSAGE_PREFIX + "soln");
}

private String getReference() {
return Constant.messages.getString(MESSAGE_PREFIX + "refs");
}

@Override
public Map<String, String> getAlertTags() {
return ALERT_TAGS;
Expand Down

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ void shouldAlertWhenCspContainsSyntaxIssues() {
alertsRaised.get(1).getOtherInfo(),
equalTo(
"The following directives either allow wildcard sources (or ancestors), are not "
+ "defined, or are overly broadly defined: \nscript-src, style-src, img-src, "
+ "defined, or are overly broadly defined:\nscript-src, style-src, img-src, "
+ "connect-src, frame-src, frame-ancestors, font-src, media-src, object-src, "
+ "manifest-src, worker-src, form-action\n\nThe directive(s): "
+ "frame-ancestors, form-action are among the directives that do not fallback "
Expand Down Expand Up @@ -231,7 +231,7 @@ void shouldAlertOnWildcardFrameAncestorsDirective() {
alertsRaised.get(0).getOtherInfo(),
equalTo(
"The following directives either allow wildcard sources (or ancestors), are not "
+ "defined, or are overly broadly defined: \nframe-ancestors"
+ "defined, or are overly broadly defined:\nframe-ancestors"
+ "\n\nThe directive(s): frame-ancestors are among the directives that do not "
+ "fallback to default-src, missing/excluding them is the same as allowing anything."));
assertThat(
Expand All @@ -258,7 +258,7 @@ void shouldAlertOnWildcardConnectSourceDirective() {
alertsRaised.get(0).getOtherInfo(),
equalTo(
"The following directives either allow wildcard sources (or ancestors), are not "
+ "defined, or are overly broadly defined: \nconnect-src"));
+ "defined, or are overly broadly defined:\nconnect-src"));
assertThat(
alertsRaised.get(0).getEvidence(),
equalTo(
Expand Down Expand Up @@ -447,7 +447,7 @@ void shouldAlertWithWildcardDirectiveWhenApplicableAndIgnoreTrustedTypesInMeta()
assertThat(
alert.getOtherInfo(),
equalTo(
"The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: \n"
"The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:\n"
+ "form-action\n\nThe directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything."));
assertThat(alert.getEvidence(), equalTo(policy));
assertThat(alert.getRisk(), equalTo(Alert.RISK_MEDIUM));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,6 @@ void shouldReturnExpectedExampleAlert() {

Alert alert = alerts.get(0);
assertThat(alert.getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
assertThat(
alert.getReference(),
equalTo(Constant.messages.getString(MESSAGE_PREFIX + "refs")));
assertThat(alert.getEvidence(), equalTo(HEADER_VALUE));
assertThat(
alert.getSolution(), equalTo(Constant.messages.getString(MESSAGE_PREFIX + "soln")));
Expand Down
3 changes: 3 additions & 0 deletions addOns/pscanrulesAlpha/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Changed
- Update minimum ZAP version to 2.15.0.

### Fixed
- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.

## [42] - 2024-01-16
### Changed
- Update minimum ZAP version to 2.14.0.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,16 @@ pscanalpha.base64disclosure.desc = Base64 encoded data was disclosed by the appl
pscanalpha.base64disclosure.name = Base64 Disclosure
pscanalpha.base64disclosure.refs = https://projects.webappsec.org/w/page/13246936/Information%20Leakage
pscanalpha.base64disclosure.soln = Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.
pscanalpha.base64disclosure.viewstate.desc = An ASP.NET ViewState was disclosed by the application/web server
pscanalpha.base64disclosure.viewstate.desc = An ASP.NET ViewState was disclosed by the application/web server.
pscanalpha.base64disclosure.viewstate.name = ASP.NET ViewState Disclosure
pscanalpha.base64disclosure.viewstate.refs = https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)\nhttps://projects.webappsec.org/w/page/13246936/Information%20Leakage
pscanalpha.base64disclosure.viewstate.soln = Manually confirm that the ASP.NET ViewState does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.
pscanalpha.base64disclosure.viewstatewithoutmac.desc = The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client
pscanalpha.base64disclosure.viewstatewithoutmac.desc = The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client.
pscanalpha.base64disclosure.viewstatewithoutmac.name = ASP.NET ViewState Integrity
pscanalpha.base64disclosure.viewstatewithoutmac.refs = https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)\nhttps://www.jardinesoftware.net/2012/02/06/asp-net-tampering-with-event-validation-part-1/
pscanalpha.base64disclosure.viewstatewithoutmac.soln = Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration.

pscanalpha.desc = Alpha status passive scan rules
pscanalpha.desc = Alpha status passive scan rules.

pscanalpha.examplefile.desc = Add more information about the vulnerability here.
pscanalpha.examplefile.name = An example passive scan rule which loads data from a file.
Expand Down
4 changes: 4 additions & 0 deletions addOns/pscanrulesBeta/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

### Changed
- Update minimum ZAP version to 2.15.0.
- Maintenance changes.

### Fixed
- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.

## [37] - 2024-02-12

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -760,8 +760,6 @@ private AlertBuilder alertStorableNonCacheable(String evidence) {
.setName(Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "name"))
.setDescription(
Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "desc"))
.setSolution(
Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "soln"))
.setReference(
Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "refs"));
}
Expand Down
Loading

0 comments on commit 999929d

Please sign in to comment.