From e0f41581afa1c7999946ab54635c13b92bbf322f Mon Sep 17 00:00:00 2001 From: kingthorin Date: Tue, 17 Dec 2024 06:22:39 -0500 Subject: [PATCH] various: Add TEST_TIMING alert tag Update: CHANGELOGs, scan rules, unittests. Signed-off-by: kingthorin --- addOns/ascanrules/CHANGELOG.md | 1 + .../ascanrules/CommandInjectionScanRule.java | 35 ++++++++++++++++--- .../SqlInjectionHypersonicScanRule.java | 3 +- .../ascanrules/SqlInjectionMsSqlScanRule.java | 3 +- .../ascanrules/SqlInjectionMySqlScanRule.java | 3 +- .../SqlInjectionOracleScanRule.java | 3 +- .../SqlInjectionPostgreScanRule.java | 3 +- .../SqlInjectionSqLiteScanRule.java | 3 +- .../ascanrules/SstiBlindScanRule.java | 3 +- .../CommandInjectionScanRuleUnitTest.java | 5 ++- ...qlInjectionHypersonicScanRuleUnitTest.java | 3 +- .../SqlInjectionMsSqlScanRuleUnitTest.java | 3 +- .../SqlInjectionMySqlScanRuleUnitTest.java | 3 +- .../SqlInjectionOracleScanRuleUnitTest.java | 3 +- .../SqlInjectionPostgreScanRuleUnitTest.java | 3 +- .../SqlInjectionSQLiteScanRuleUnitTest.java | 3 +- .../ascanrules/SstiBlindScanRuleUnitTest.java | 3 +- addOns/ascanrulesBeta/CHANGELOG.md | 1 + .../ascanrulesBeta/ShellShockScanRule.java | 3 +- .../ShellShockScanRuleUnitTest.java | 3 +- addOns/sqliplugin/CHANGELOG.md | 1 + .../sqliplugin/SQLInjectionScanRule.java | 3 +- 22 files changed, 71 insertions(+), 23 deletions(-) diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index 69b63a9ad52..c8a92ee3902 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Add the `OUT_OF_BAND` alert tag to the following scan rules: - Server Side Template Injection (Blind) - XML External Entity Attack +- Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag. ### Fixed - A situation where the Server-Side Template Injection (SSTI) scan rule might result in false positives related to the Go payloads (Issue 8622). diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java index 0896ba48d4d..7f85e8396bd 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java @@ -98,7 +98,8 @@ public class CommandInjectionScanRule extends AbstractAppParamPlugin CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ)); + CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ, + CommonAlertTag.TEST_TIMING)); alertTags.put(PolicyTag.API.getTag(), ""); alertTags.put(PolicyTag.DEV_CICD.getTag(), ""); alertTags.put(PolicyTag.DEV_STD.getTag(), ""); @@ -367,6 +368,15 @@ public Map getAlertTags() { return ALERT_TAGS; } + private Map getNeededAlertTags(TestType type) { + Map alertTags = new HashMap<>(); + alertTags.putAll(getAlertTags()); + if (TestType.FEEDBACK.equals(type)) { + alertTags.remove(CommonAlertTag.TEST_TIMING.getTag()); + } + return alertTags; + } + @Override public int getCweId() { return 78; @@ -584,7 +594,14 @@ private boolean testCommandInjection( paramValue); String otherInfo = getOtherInfo(TestType.FEEDBACK, paramValue); - buildAlert(paramName, paramValue, matcher.group(), otherInfo, msg).raise(); + buildAlert( + paramName, + paramValue, + matcher.group(), + otherInfo, + TestType.FEEDBACK, + msg) + .raise(); // All done. No need to look for vulnerabilities on subsequent // payloads on the same request (to reduce performance impact) @@ -670,7 +687,8 @@ private boolean testCommandInjection( String otherInfo = getOtherInfo(TestType.TIME, paramValue); // just attach this alert to the last sent message - buildAlert(paramName, paramValue, "", otherInfo, message.get()).raise(); + buildAlert(paramName, paramValue, "", otherInfo, TestType.TIME, message.get()) + .raise(); // All done. No need to look for vulnerabilities on subsequent // payloads on the same request (to reduce performance impact) @@ -719,14 +737,20 @@ private static String insertUninitVar(String cmd) { } private AlertBuilder buildAlert( - String param, String attack, String evidence, String otherInfo, HttpMessage msg) { + String param, + String attack, + String evidence, + String otherInfo, + TestType type, + HttpMessage msg) { return newAlert() .setConfidence(Alert.CONFIDENCE_MEDIUM) .setParam(param) .setAttack(attack) .setEvidence(evidence) .setMessage(msg) - .setOtherInfo(otherInfo); + .setOtherInfo(otherInfo) + .setTags(getNeededAlertTags(type)); } @Override @@ -737,6 +761,7 @@ public List getExampleAlerts() { "a;cat /etc/passwd ", "root:x:0:0", getOtherInfo(TestType.FEEDBACK, "a;cat /etc/passwd "), + TestType.FEEDBACK, null) .build()); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java index 2b4bffa24b9..b808d3f3535 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java @@ -199,7 +199,8 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + CommonAlertTag.WSTG_V42_INPV_05_SQLI, + CommonAlertTag.TEST_TIMING)); alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); alertTags.put(PolicyTag.QA_STD.getTag(), ""); alertTags.put(PolicyTag.QA_FULL.getTag(), ""); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java index f1e1b494265..594767042a9 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java @@ -144,7 +144,8 @@ public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + CommonAlertTag.WSTG_V42_INPV_05_SQLI, + CommonAlertTag.TEST_TIMING)); alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); alertTags.put(PolicyTag.QA_STD.getTag(), ""); alertTags.put(PolicyTag.QA_FULL.getTag(), ""); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java index 16a96d8dc1d..a74f1319858 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java @@ -218,7 +218,8 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + CommonAlertTag.WSTG_V42_INPV_05_SQLI, + CommonAlertTag.TEST_TIMING)); alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); alertTags.put(PolicyTag.QA_STD.getTag(), ""); alertTags.put(PolicyTag.QA_FULL.getTag(), ""); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java index cc93ea4f28f..29bb581eb37 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java @@ -154,7 +154,8 @@ public class SqlInjectionOracleScanRule extends AbstractAppParamPlugin CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + CommonAlertTag.WSTG_V42_INPV_05_SQLI, + CommonAlertTag.TEST_TIMING)); alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); alertTags.put(PolicyTag.QA_STD.getTag(), ""); alertTags.put(PolicyTag.QA_FULL.getTag(), ""); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java index 415d5e2ab77..422886c9a05 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java @@ -196,7 +196,8 @@ public class SqlInjectionPostgreScanRule extends AbstractAppParamPlugin CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + CommonAlertTag.WSTG_V42_INPV_05_SQLI, + CommonAlertTag.TEST_TIMING)); alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); alertTags.put(PolicyTag.QA_STD.getTag(), ""); alertTags.put(PolicyTag.QA_FULL.getTag(), ""); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java index 1f0fa2f9648..9caadbe975a 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java @@ -221,7 +221,8 @@ public class SqlInjectionSqLiteScanRule extends AbstractAppParamPlugin CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_05_SQLI)); + CommonAlertTag.WSTG_V42_INPV_05_SQLI, + CommonAlertTag.TEST_TIMING)); alertTags.put(PolicyTag.QA_FULL.getTag(), ""); ALERT_TAGS = Collections.unmodifiableMap(alertTags); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java index 65593f21ae7..e636cbca77e 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java @@ -61,7 +61,8 @@ public class SstiBlindScanRule extends AbstractAppParamPlugin implements CommonA CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, CommonAlertTag.OWASP_2017_A01_INJECTION, - CommonAlertTag.WSTG_V42_INPV_18_SSTI)); + CommonAlertTag.WSTG_V42_INPV_18_SSTI, + CommonAlertTag.TEST_TIMING)); alertTags.put(ExtensionOast.OAST_ALERT_TAG_KEY, ExtensionOast.OAST_ALERT_TAG_VALUE); alertTags.put(PolicyTag.API.getTag(), ""); alertTags.put(PolicyTag.DEV_FULL.getTag(), ""); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java index 611f17e31b5..c2d70cc6ee6 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java @@ -23,6 +23,7 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.hasKey; import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.not; @@ -95,7 +96,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(78))); assertThat(wasc, is(equalTo(31))); - assertThat(tags.size(), is(equalTo(10))); + assertThat(tags.size(), is(equalTo(11))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -378,6 +379,8 @@ void shouldHaveExpectedExampleAlert() { "The scan rule was able to retrieve the content of a file or " + "command by sending [a;cat /etc/passwd ] to the operating " + "system running this application."))); + Map tags = alert.getTags(); + assertThat(tags, not(hasKey(CommonAlertTag.TEST_TIMING.getTag()))); } private static class PayloadCollectorHandler extends NanoServerHandler { diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java index 80d1cfd829f..ce0de90c1bb 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java @@ -155,7 +155,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(7))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -168,6 +168,7 @@ void shouldReturnExpectedMappings() { assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java index 3ca0ac36de6..3085ee3143a 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java @@ -150,7 +150,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(7))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -163,6 +163,7 @@ void shouldReturnExpectedMappings() { assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java index 1d8dd0fe8da..a80ff903843 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java @@ -149,7 +149,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(7))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -162,6 +162,7 @@ void shouldReturnExpectedMappings() { assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java index d5a9103e241..92f8752a9f1 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java @@ -145,7 +145,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(7))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -158,6 +158,7 @@ void shouldReturnExpectedMappings() { assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java index f893bc46bc0..2f55672218c 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java @@ -158,7 +158,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(7))); + assertThat(tags.size(), is(equalTo(8))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -171,6 +171,7 @@ void shouldReturnExpectedMappings() { assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java index a25ec55d3f5..6f6cae9f889 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSQLiteScanRuleUnitTest.java @@ -197,7 +197,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(89))); assertThat(wasc, is(equalTo(19))); - assertThat(tags.size(), is(equalTo(4))); + assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -207,6 +207,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java index bb684afc5f5..78d709eaae1 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRuleUnitTest.java @@ -143,7 +143,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(1336))); assertThat(wasc, is(equalTo(20))); - assertThat(tags.size(), is(equalTo(8))); + assertThat(tags.size(), is(equalTo(9))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(true))); @@ -157,6 +157,7 @@ void shouldReturnExpectedMappings() { assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true))); assertThat(tags.containsKey(PolicyTag.SEQUENCE.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A03_INJECTION.getValue()))); diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md index f7d20083303..192a17ea8e5 100644 --- a/addOns/ascanrulesBeta/CHANGELOG.md +++ b/addOns/ascanrulesBeta/CHANGELOG.md @@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - The following scan rules now use more specific CWE IDs: - Proxy Disclosure (Issue 8713) - Possible Username Enumeration (Issue 8715) +- The Shell Shock scan rule now has the TEST_TIMING alert tag. ### Fixed - Address exception when scanning a message without path with Possible Username Enumeration scan rule. diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java index 68afde05af6..2b09728c9b3 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java @@ -46,7 +46,8 @@ public class ShellShockScanRule extends AbstractAppParamPlugin implements Common CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A06_VULN_COMP, CommonAlertTag.OWASP_2017_A09_VULN_COMP, - CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ); + CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ, + CommonAlertTag.TEST_TIMING); /** the logger object */ private static final Logger LOGGER = LogManager.getLogger(ShellShockScanRule.class); diff --git a/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRuleUnitTest.java b/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRuleUnitTest.java index 7db0211fc1c..7d9a5c4aff5 100644 --- a/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRuleUnitTest.java +++ b/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRuleUnitTest.java @@ -53,7 +53,7 @@ void shouldReturnExpectedMappings() { // Then assertThat(cwe, is(equalTo(78))); assertThat(wasc, is(equalTo(31))); - assertThat(tags.size(), is(equalTo(3))); + assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(true))); @@ -63,6 +63,7 @@ void shouldReturnExpectedMappings() { assertThat( tags.containsKey(CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ.getTag()), is(equalTo(true))); + assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true))); assertThat( tags.get(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getTag()), is(equalTo(CommonAlertTag.OWASP_2021_A06_VULN_COMP.getValue()))); diff --git a/addOns/sqliplugin/CHANGELOG.md b/addOns/sqliplugin/CHANGELOG.md index 4dd0cf6a924..4a9a177f9ec 100644 --- a/addOns/sqliplugin/CHANGELOG.md +++ b/addOns/sqliplugin/CHANGELOG.md @@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Changed - Update minimum ZAP version to 2.16.0. - Maintenance changes. +- The scan rule now has the "TEST_TIMING" alert tag. ## [15] - 2021-10-20 ### Fixed diff --git a/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java b/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java index 8f5c35a15f6..86b1cc9957b 100644 --- a/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java +++ b/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java @@ -67,7 +67,8 @@ public class SQLInjectionScanRule extends AbstractAppParamPlugin { private static final Map ALERT_TAGS = CommonAlertTag.toMap( CommonAlertTag.OWASP_2021_A03_INJECTION, - CommonAlertTag.OWASP_2017_A01_INJECTION); + CommonAlertTag.OWASP_2017_A01_INJECTION, + CommonAlertTag.TEST_TIMING); // ------------------------------------------------------------------ // Configuration properties // ------------------------------------------------------------------