diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md index 1eb5a8f6dcc..76756f6bed3 100644 --- a/addOns/pscanrules/CHANGELOG.md +++ b/addOns/pscanrules/CHANGELOG.md @@ -4,7 +4,11 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased +### Changed +- Maintenance changes. +### Fixed +- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner. ## [58] - 2024-05-07 ### Changed diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java index 5ba1ce1c758..7140919f5c5 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java @@ -99,7 +99,6 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence) .setDescription(getDescriptionMessage()) .setOtherInfo(getExtraInfoMessage(url, formElement)) .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) .setEvidence(evidence) .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information .setWascId(15); // WASC-15: Application Misconfiguration @@ -118,10 +117,6 @@ private String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - private static String getExtraInfoMessage(String url, String formElement) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java index 784920814d3..995ebe573bf 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java @@ -104,7 +104,6 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence) .setDescription(getDescriptionMessage()) .setOtherInfo(getExtraInfoMessage(url, formElement)) .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) .setEvidence(evidence) .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information .setWascId(15); // WASC-15: Application Misconfiguration @@ -115,10 +114,6 @@ public int getPluginId() { return 10042; } - /* - * Rule-associated messages - */ - private String getDescriptionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } @@ -127,10 +122,6 @@ private String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - private static String getExtraInfoMessage(String url, String formElement) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java index 8081bdff5f3..51e8531a6d8 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java @@ -199,7 +199,6 @@ private AlertBuilder buildAlert(String tag, String attr, HtmlParameter param, St .setParam(param.getName()) .setOtherInfo(getExtraInfoMessage(tag, attr, param, charset)) .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) .setCweId(20) // CWE-20: Improper Input Validation .setWascId(20); // WASC-20: Improper Input Handling } @@ -226,10 +225,6 @@ private String getSolutionMessage() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - private static String getExtraInfoMessage( String tag, String attr, HtmlParameter param, String charset) { return Constant.messages.getString( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java index dd55777160c..be9a905b5b2 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java @@ -69,7 +69,6 @@ private AlertBuilder createAlert(String evidence) { .setConfidence(Alert.CONFIDENCE_MEDIUM) .setDescription(getDescription()) .setSolution(getSolution()) - .setReference(getReference()) .setEvidence(evidence) .setCweId(200) .setWascId(13); @@ -93,10 +92,6 @@ private String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties index 010f73f25e9..dc7d777031b 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https://tools.ietf.org/html/rfc7034#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https://tools.ietf.org/html/rfc7034#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https://owasp.org/www-community/attacks/Brute_force_attack\nhttps://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length: {0} [{1}].\nPredicted response size: {2}.\nResponse Body Length: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https://tools.ietf.org/html/rfc6265#section-4.1\nhttps://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https://www.w3.org/TR/CSP3/#unsafe- pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value:\n\n{0}\nThe context was:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs = pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value:\n\n{0}\nThe context was:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs = pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,11 @@ pscanrules.pii.issuer.field = Issuer: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https://tools.ietf.org/html/rfc7234\nhttps://tools.ietf.org/html/rfc7231\nhttps://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:\nCache-Control: no-cache, no-store, must-revalidate, private\nPragma: no-cache\nExpires: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:\nCache-Control: no-cache, no-store, must-revalidate, private\nPragma: no-cache\nExpires: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +281,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https://datatracker.ietf.org/doc/html/rfc6797#section-6.1 @@ -314,8 +312,8 @@ pscanrules.stricttransportsecurity.refs = https://cheatsheetseries.owasp.org/che pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +321,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was:\n{2}={3}\n\nThe charset value it controlled was:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs = pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at:\n\n{1}\n\nUser-input was found in the following cookie:\n{2}\n\nThe user input was:\n{3}={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example: https://nottrusted.com/page?value=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example: https://nottrusted.com/page?value=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https://en.wikipedia.org/wiki/HTTP_cookie\nhttps://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:\n\n{0}\n\nappears to include user input in: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was:\n{3}={4}\n\nThe user-controlled value was:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:\n\n{0}\n\nappears to include user input in:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was:\n{3}={4}\n\nThe user-controlled value was:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable: \n\nUser-input was found in the following data of an [{1}] event:\n{2}\n\nThe user input was:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable:\n\nUser-input was found in the following data of an [{1}] event:\n{2}\n\nThe user input was:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +353,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value: {1} pscanrules.usernameidor.refs = https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +387,7 @@ pscanrules.xaspnetversion.refs = https://www.troyhunt.com/shhh-dont-let-your-res pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo = pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs = pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc. @@ -415,7 +410,6 @@ pscanrules.xdebugtoken.refs = https://symfony.com/doc/current/cookbook/profiler/ pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo = pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found:\n pscanrules.xpoweredbyheaderinfoleak.refs = https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java index 159f2016ea4..e7dd549c311 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java @@ -160,7 +160,7 @@ void shouldAlertWhenCspContainsSyntaxIssues() { alertsRaised.get(1).getOtherInfo(), equalTo( "The following directives either allow wildcard sources (or ancestors), are not " - + "defined, or are overly broadly defined: \nscript-src, style-src, img-src, " + + "defined, or are overly broadly defined:\nscript-src, style-src, img-src, " + "connect-src, frame-src, frame-ancestors, font-src, media-src, object-src, " + "manifest-src, worker-src, form-action\n\nThe directive(s): " + "frame-ancestors, form-action are among the directives that do not fallback " @@ -231,7 +231,7 @@ void shouldAlertOnWildcardFrameAncestorsDirective() { alertsRaised.get(0).getOtherInfo(), equalTo( "The following directives either allow wildcard sources (or ancestors), are not " - + "defined, or are overly broadly defined: \nframe-ancestors" + + "defined, or are overly broadly defined:\nframe-ancestors" + "\n\nThe directive(s): frame-ancestors are among the directives that do not " + "fallback to default-src, missing/excluding them is the same as allowing anything.")); assertThat( @@ -258,7 +258,7 @@ void shouldAlertOnWildcardConnectSourceDirective() { alertsRaised.get(0).getOtherInfo(), equalTo( "The following directives either allow wildcard sources (or ancestors), are not " - + "defined, or are overly broadly defined: \nconnect-src")); + + "defined, or are overly broadly defined:\nconnect-src")); assertThat( alertsRaised.get(0).getEvidence(), equalTo( @@ -447,7 +447,7 @@ void shouldAlertWithWildcardDirectiveWhenApplicableAndIgnoreTrustedTypesInMeta() assertThat( alert.getOtherInfo(), equalTo( - "The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: \n" + "The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:\n" + "form-action\n\nThe directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.")); assertThat(alert.getEvidence(), equalTo(policy)); assertThat(alert.getRisk(), equalTo(Alert.RISK_MEDIUM)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java index aa56cdce8c2..b1333447b2a 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java @@ -110,9 +110,6 @@ void shouldReturnExpectedExampleAlert() { Alert alert = alerts.get(0); assertThat(alert.getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM)); - assertThat( - alert.getReference(), - equalTo(Constant.messages.getString(MESSAGE_PREFIX + "refs"))); assertThat(alert.getEvidence(), equalTo(HEADER_VALUE)); assertThat( alert.getSolution(), equalTo(Constant.messages.getString(MESSAGE_PREFIX + "soln"))); diff --git a/addOns/pscanrulesAlpha/CHANGELOG.md b/addOns/pscanrulesAlpha/CHANGELOG.md index 17574489abb..ba823773dc8 100644 --- a/addOns/pscanrulesAlpha/CHANGELOG.md +++ b/addOns/pscanrulesAlpha/CHANGELOG.md @@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Changed - Update minimum ZAP version to 2.15.0. +### Fixed +- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner. + ## [42] - 2024-01-16 ### Changed - Update minimum ZAP version to 2.14.0. diff --git a/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties b/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties index e46914b122e..3c0b833d00f 100644 --- a/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties +++ b/addOns/pscanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/pscanrulesAlpha/resources/Messages.properties @@ -2,16 +2,16 @@ pscanalpha.base64disclosure.desc = Base64 encoded data was disclosed by the appl pscanalpha.base64disclosure.name = Base64 Disclosure pscanalpha.base64disclosure.refs = https://projects.webappsec.org/w/page/13246936/Information%20Leakage pscanalpha.base64disclosure.soln = Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities. -pscanalpha.base64disclosure.viewstate.desc = An ASP.NET ViewState was disclosed by the application/web server +pscanalpha.base64disclosure.viewstate.desc = An ASP.NET ViewState was disclosed by the application/web server. pscanalpha.base64disclosure.viewstate.name = ASP.NET ViewState Disclosure pscanalpha.base64disclosure.viewstate.refs = https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)\nhttps://projects.webappsec.org/w/page/13246936/Information%20Leakage pscanalpha.base64disclosure.viewstate.soln = Manually confirm that the ASP.NET ViewState does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities. -pscanalpha.base64disclosure.viewstatewithoutmac.desc = The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client +pscanalpha.base64disclosure.viewstatewithoutmac.desc = The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client. pscanalpha.base64disclosure.viewstatewithoutmac.name = ASP.NET ViewState Integrity pscanalpha.base64disclosure.viewstatewithoutmac.refs = https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)\nhttps://www.jardinesoftware.net/2012/02/06/asp-net-tampering-with-event-validation-part-1/ pscanalpha.base64disclosure.viewstatewithoutmac.soln = Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration. -pscanalpha.desc = Alpha status passive scan rules +pscanalpha.desc = Alpha status passive scan rules. pscanalpha.examplefile.desc = Add more information about the vulnerability here. pscanalpha.examplefile.name = An example passive scan rule which loads data from a file. diff --git a/addOns/pscanrulesBeta/CHANGELOG.md b/addOns/pscanrulesBeta/CHANGELOG.md index f73cc8835f5..df9f71aa9fb 100644 --- a/addOns/pscanrulesBeta/CHANGELOG.md +++ b/addOns/pscanrulesBeta/CHANGELOG.md @@ -9,6 +9,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Changed - Update minimum ZAP version to 2.15.0. +- Maintenance changes. + +### Fixed +- Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner. ## [37] - 2024-02-12 diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java index 6ca45079f0d..dc357fb94df 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java @@ -760,8 +760,6 @@ private AlertBuilder alertStorableNonCacheable(String evidence) { .setName(Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "name")) .setDescription( Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "desc")) - .setSolution( - Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "soln")) .setReference( Constant.messages.getString(MESSAGE_PREFIX_STORABLE_NONCACHEABLE + "refs")); } diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages.properties index 41b8acd1d2a..5436716c4ff 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages.properties @@ -16,17 +16,17 @@ pscanbeta.jso.name = Java Serialization Object pscanbeta.jso.refs = https://www.oracle.com/java/technologies/javase/seccodeguide.html#8 pscanbeta.jso.soln = Deserialization of untrusted data is inherently dangerous and should be avoided. -pscanbeta.name = Passive Scan Rules - beta +pscanbeta.name = Passive Scan Rules - beta. pscanbeta.nonstorable.desc = The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance. pscanbeta.nonstorable.name = Non-Storable Content pscanbeta.nonstorable.refs = https://datatracker.ietf.org/doc/html/rfc7234\nhttps://datatracker.ietf.org/doc/html/rfc7231\nhttps://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html -pscanbeta.nonstorable.soln = The content may be marked as storable by ensuring that the following conditions are satisfied:\nThe request method must be understood by the cache and defined as being cacheable ("GET", "HEAD", and "POST" are currently defined as cacheable)\nThe response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)\nThe "no-store" cache directive must not appear in the request or response header fields\nFor caching by "shared" caches such as "proxy" caches, the "private" response directive must not appear in the response\nFor caching by "shared" caches such as "proxy" caches, the "Authorization" header field must not appear in the request, unless the response explicitly allows it (using one of the "must-revalidate", "public", or "s-maxage" Cache-Control response directives)\nIn addition to the conditions above, at least one of the following conditions must also be satisfied by the response:\nIt must contain an "Expires" header field\nIt must contain a "max-age" response directive\nFor "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directive\nIt must contain a "Cache Control Extension" that allows it to be cached\nIt must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501). +pscanbeta.nonstorable.soln = The content may be marked as storable by ensuring that the following conditions are satisfied:\nThe request method must be understood by the cache and defined as being cacheable ("GET", "HEAD", and "POST" are currently defined as cacheable)\nThe response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)\nThe "no-store" cache directive must not appear in the request or response header fields\nFor caching by "shared" caches such as "proxy" caches, the "private" response directive must not appear in the response\nFor caching by "shared" caches such as "proxy" caches, the "Authorization" header field must not appear in the request, unless the response explicitly allows it (using one of the "must-revalidate", "public", or "s-maxage" Cache-Control response directives)\nIn addition to the conditions above, at least one of the following conditions must also be satisfied by the response:\nIt must contain an "Expires" header field\nIt must contain a "max-age" response directive\nFor "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directive\nIt must contain a "Cache Control Extension" that allows it to be cached\nIt must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501). pscanbeta.payloader.desc = Provides support for custom payloads in scan rules. pscanbeta.payloader.name = Passive Scan Rules Beta Custom Payloads -pscanbeta.permissionspolicymissing.deprecated.desc = The header has now been renamed to Permissions-Policy. +pscanbeta.permissionspolicymissing.deprecated.desc = The header has now been renamed to Permissions-Policy. pscanbeta.permissionspolicymissing.deprecated.name = Deprecated Feature Policy Header Set pscanbeta.permissionspolicymissing.deprecated.refs = https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ pscanbeta.permissionspolicymissing.deprecated.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header. @@ -60,12 +60,12 @@ pscanbeta.site-isolation.corp.refs = https://developer.mozilla.org/en-US/docs/We pscanbeta.site-isolation.corp.soln = Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages.\n'same-site' is considered as less secured and should be avoided.\nIf resources must be shared, set the header to 'cross-origin'.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy). pscanbeta.site-isolation.name = Insufficient Site Isolation Against Spectre Vulnerability -pscanbeta.sourcecodedisclosure.desc = Application Source Code was disclosed by the web server +pscanbeta.sourcecodedisclosure.desc = Application Source Code was disclosed by the web server. pscanbeta.sourcecodedisclosure.name = Source Code Disclosure pscanbeta.sourcecodedisclosure.refs = https://www.wsj.com/articles/BL-CIOB-2999 -pscanbeta.sourcecodedisclosure.soln = Ensure that application Source Code is not available with alternative extensions, and ensure that source code is not present within other files or data deployed to the web server, or served by the web server. +pscanbeta.sourcecodedisclosure.soln = Ensure that application Source Code is not available with alternative extensions, and ensure that source code is not present within other files or data deployed to the web server, or served by the web server. -pscanbeta.sri-integrity.desc = The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content. +pscanbeta.sri-integrity.desc = The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content. pscanbeta.sri-integrity.name = Sub Resource Integrity Attribute Missing pscanbeta.sri-integrity.otherinfo = The following hash was calculated (using base64 encoding of the output of the hash algorithm: SHA-384) for the script in question {0} pscanbeta.sri-integrity.refs = https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity @@ -73,14 +73,13 @@ pscanbeta.sri-integrity.soln = Provide a valid integrity attribute to the tag. pscanbeta.storabilitycacheability.name = Content Cacheability -pscanbeta.storablecacheable.desc = The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanbeta.storablecacheable.desc = The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanbeta.storablecacheable.name = Storable and Cacheable Content pscanbeta.storablecacheable.otherinfo.liberallifetimeheuristic = In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. pscanbeta.storablecacheable.otherinfo.staleretrievenotblocked = The response is stale, and stale responses are not configured to be re-validated or blocked, using the 'must-revalidate', 'proxy-revalidate', 's-maxage', or 'max-age' response 'Cache-Control' directives. pscanbeta.storablecacheable.refs = https://datatracker.ietf.org/doc/html/rfc7234\nhttps://datatracker.ietf.org/doc/html/rfc7231\nhttps://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html -pscanbeta.storablecacheable.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:\nCache-Control: no-cache, no-store, must-revalidate, private\nPragma: no-cache\nExpires: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanbeta.storablecacheable.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:\nCache-Control: no-cache, no-store, must-revalidate, private\nPragma: no-cache\nExpires: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. -pscanbeta.storablenoncacheable.desc = The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users. +pscanbeta.storablenoncacheable.desc = The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users. pscanbeta.storablenoncacheable.name = Storable but Non-Cacheable Content pscanbeta.storablenoncacheable.refs = https://datatracker.ietf.org/doc/html/rfc7234\nhttps://datatracker.ietf.org/doc/html/rfc7231\nhttps://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html -pscanbeta.storablenoncacheable.soln =