ascanrules: More example alerts

- Scan Rules > Added example alert handling.
- Unit Tests > Added tests for the example alerts and references.
- CHANGELOG > Added change note.

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

addOns/ascanrules/CHANGELOG.md

@@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Maintenance changes.
 - The Spring Actuator Scan Rule now includes example alert functionality for documentation generation purposes (Issue 6119).
+- The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119).
+ - XSLT Injection
+ - XPath Injection
 
 ## [67] - 2024-07-22
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java

@@ -20,6 +20,7 @@
 package org.zaproxy.zap.extension.ascanrules;
 
 import java.io.IOException;
+import java.util.List;
 import java.util.Map;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -199,13 +200,7 @@ public void scan(HttpMessage msg, String paramName, String value) {
  paramName,
  evilPayload);
 
- newAlert()
- .setConfidence(Alert.CONFIDENCE_HIGH)
- .setParam(paramName)
- .setAttack(evilPayload)
- .setEvidence(errorString)
- .setMessage(msg)
- .raise();
+ createAlert(paramName, evilPayload, errorString).setMessage(msg).raise();
 
  // All done. No need to look for vulnerabilities on subsequent
  // parameters on the same request (to reduce performance impact)
@@ -232,4 +227,17 @@ public void scan(HttpMessage msg, String paramName, String value) {
  }
  }
  }
+
+ private AlertBuilder createAlert(String param, String payload, String evidence) {
+ return newAlert()
+ .setConfidence(Alert.CONFIDENCE_HIGH)
+ .setParam(param)
+ .setAttack(payload)
+ .setEvidence(evidence);
+ }
+
+ @Override
+ public List<Alert> getExampleAlerts() {
+ return List.of(createAlert("foo", XPATH_PAYLOADS[0], XPATH_ERRORS[0]).build());
+ }
 }

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java

@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.EnumMap;
+import java.util.List;
 import java.util.Map;
 import java.util.function.Predicate;
 import org.apache.commons.httpclient.URIException;
@@ -184,12 +185,9 @@ private boolean tryInjection(String param, XSLTInjectionType checkType) {
  }
 
  if (raiseAlert) {
- raiseAlert(
- msg,
- param,
- payload,
- evidence,
- checkType.getResourceIdentifier());
+ createAlert(param, payload, evidence, checkType.getResourceIdentifier())
+ .setMessage(msg)
+ .raise();
  return true;
  }
  }
@@ -242,20 +240,14 @@ private static String getOtherInfo(String resourceIdentifier, String param) {
  MESSAGE_PREFIX + resourceIdentifier + ".otherinfo", param);
  }
 
- private void raiseAlert(
- HttpMessage msg,
- String param,
- String attack,
- String evidence,
- String resourceIdentifier) {
- newAlert()
+ private AlertBuilder createAlert(
+ String param, String attack, String evidence, String resourceIdentifier) {
+ return newAlert()
  .setConfidence(Alert.CONFIDENCE_MEDIUM)
  .setParam(param)
  .setAttack(attack)
  .setOtherInfo(getOtherInfo(resourceIdentifier, evidence))
- .setEvidence(evidence)
- .setMessage(msg)
- .raise();
+ .setEvidence(evidence);
  }
 
  @Override
@@ -307,4 +299,15 @@ public Map<String, String> getAlertTags() {
  public int getRisk() {
  return Alert.RISK_MEDIUM;
  }
+
+ @Override
+ public List<Alert> getExampleAlerts() {
+ return List.of(
+ createAlert(
+ "foo",
+ XSLTInjectionType.ERROR.getPayloads(null)[0],
+ XSLTInjectionType.ERROR.getEvidences()[1],
+ XSLTInjectionType.ERROR.getResourceIdentifier())
+ .build());
+ }
 }

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRuleUnitTest.java

@@ -21,10 +21,13 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 
+import java.util.List;
 import java.util.Map;
 import org.junit.jupiter.api.Test;
+import org.parosproxy.paros.core.scanner.Alert;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
 
 class XpathInjectionScanRuleUnitTest extends ActiveScannerTest<XpathInjectionScanRule> {
@@ -63,4 +66,21 @@ void shouldReturnExpectedMappings() {
  tags.get(CommonAlertTag.WSTG_V42_INPV_09_XPATH.getTag()),
  is(equalTo(CommonAlertTag.WSTG_V42_INPV_09_XPATH.getValue())));
  }
+
+ @Test
+ void shouldHaveExpectedExampleAlert() {
+ // Given / When
+ List<Alert> alerts = rule.getExampleAlerts();
+ // Then
+ assertThat(alerts, hasSize(1));
+ Alert alert = alerts.get(0);
+ assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_HIGH)));
+ assertThat(alert.getAlertRef(), is(equalTo("90021")));
+ }
+
+ @Test
+ @Override
+ public void shouldHaveValidReferences() {
+ super.shouldHaveValidReferences();
+ }
 }

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRuleUnitTest.java

@@ -25,6 +25,7 @@
 import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
+import java.util.List;
 import java.util.Map;
 import org.junit.jupiter.api.Test;
 import org.parosproxy.paros.core.scanner.Alert;
@@ -163,4 +164,21 @@ void shouldReturnExpectedMappings() {
  tags.get(CommonAlertTag.OWASP_2017_A01_INJECTION.getTag()),
  is(equalTo(CommonAlertTag.OWASP_2017_A01_INJECTION.getValue())));
  }
+
+ @Test
+ void shouldHaveExpectedExampleAlert() {
+ // Given / When
+ List<Alert> alerts = rule.getExampleAlerts();
+ // Then
+ assertThat(alerts, hasSize(1));
+ Alert alert = alerts.get(0);
+ assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_MEDIUM)));
+ assertThat(alert.getAlertRef(), is(equalTo("90017")));
+ }
+
+ @Test
+ @Override
+ public void shouldHaveValidReferences() {
+ super.shouldHaveValidReferences();
+ }
 }