ascanrulesBeta: Address possible FP in proxy detection rule #5718
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kingthorin
force-pushed
the
prxy-xfwd
branch
2 times, most recently
from
e0c29af
to
44b000e
Compare
thc202
reviewed
Sep 9, 2024
...ulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
Outdated
Show resolved
Hide resolved
kingthorin
force-pushed
the
prxy-xfwd
branch
from
44b000e
to
b491554
Compare
|
Tweaked |
thc202
reviewed
Sep 9, 2024
...ulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
Outdated
Show resolved
Hide resolved
...ain/javahelp/org/zaproxy/zap/extension/ascanrulesBeta/resources/help/contents/ascanbeta.html
Outdated
Show resolved
Hide resolved
Comment on lines
75
to
76
| "X-Forwarded-For: 76.69.54.171", "X-Forwarded-For: 127.0.0.1", | ||
| "X-Forwarded-Host: api.test.glaypen.garnercorp.com", "X-Forwarded-Port: 443", |
There was a problem hiding this comment.
Better remove public IPs and domains, there are also headers being tested that wouldn't raise an alert anyway. It's missing Via (for completeness). Also, would be good that the server behaviour did raise an alert if it wasn't for the evidence being already present.
There was a problem hiding this comment.
The test is still not testing the expected code.
There was a problem hiding this comment.
Sorry I glossed over your second point about the served content. Will adjust.
There was a problem hiding this comment.
I do plan to work through this, but it's gonna take a bit longer to get the nano handler setup for all the pre-checks.
.../src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
kingthorin
force-pushed
the
prxy-xfwd
branch
2 times, most recently
from
824b5df
to
f62d8fa
Compare
|
Got all those I think. |
thc202
reviewed
Sep 10, 2024
...ulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
Show resolved
Hide resolved
kingthorin
force-pushed
the
prxy-xfwd
branch
from
f62d8fa
to
ed90ba4
Compare
kingthorin
added
the
waiting-for:pr-author
- CHANGELOG > Added change note. - ProxyDisclosureScanRule > Added condition to skip messages if they have evidence content to start with. Removed misleading Attack text from the Alert. - ProxyDisclosureScanRuleUnitTest > Added a test to assert the new behavior. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
kingthorin
force-pushed
the
prxy-xfwd
branch
from
ed90ba4
to
e4cf659
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Related Issues
Fixes zaproxy/zaproxy#8556
Checklist
./gradlew spotlessApplyfor code formatting