Comments (12)
psiinon
commented on June 11, 2024
3
How about at non LOW threshold we only scan responses if (respHeader.isHtml() || respHeader.isText() || respHeader.isJson() || respHeader.isXml()) ?
Where respHeader = msg.getResponseHeader().
from zaproxy.
psiinon
commented on June 11, 2024
2
@ganesh-dagadi its been assigned to you 😁 Let us know if you'd like any advice and guidance..
from zaproxy.
kingthorin
commented on June 11, 2024
1
Sounds right too me. You should see other UnitTests for other rules that check/try this as well.
from zaproxy.
kingthorin
commented on June 11, 2024
1
Sure. I'm not sure how that specific test class is setup but most of them have a private method creating the HttpMessage objects, you could add a default of text/html there and then override it in new tests, etc
from zaproxy.
kingthorin
commented on June 11, 2024
1
Just remove isText() from your set of ORs.
from zaproxy.
ganesh-dagadi
commented on June 11, 2024
I would like to work on this issue.
from zaproxy.
kingthorin
commented on June 11, 2024
I'd suggest that this be tied to Threshold, some lame frameworks create a JS constants file that gets exposed so it would be good for users to be able to choose to scan them.
from zaproxy.
ganesh-dagadi
commented on June 11, 2024
So as suggested by @psiinon , if the user selects Low threshold, we continue with the scan but when the threshold is not LOW and if ResourceIdentificationUtils.isJavascript() is true, we skip the scan. So can this be solved just by adding another guard clause?
from zaproxy.
kingthorin
commented on June 11, 2024
Sure, yeah that sounds good.
from zaproxy.
ganesh-dagadi
commented on June 11, 2024
As we are now checking based on the response header, I observed that most of the Unit tests do not set the response header - Content type. Do you recommend I add content type to all the Unit tests?
from zaproxy.
ganesh-dagadi
commented on June 11, 2024
The method responseHeader.isText() return true if javascript is in content type. Here is the method
public boolean isText() {
return this.hasContentType(new String[]{"text", "html", "javascript", "json", "xml"});
}
So checking for isText() is returning true for javascript content type. Thus, at NON LOW threshold, javascript is also passing through the guard clause. Shall I remove isText() on NON LOW threshold or remove javascript from isText() method?
from zaproxy.
ganesh-dagadi
commented on June 11, 2024
I have opened a Pull Request addressing this Issue.
from zaproxy.
Related Issues (20)
- PII Disclosure false positive in GUIDs and similar hexadecimal strings. HOT 3
- ZAP Marketplace not loading HOT 17
- Traditional spider disappeared from GUI after autoscan specific site HOT 4
- Conflicting Selenium and Chromedriver versions when using Chrome with Docker image HOT 9
- OpenAPI import from URL timeout verbose/stacktrace HOT 4
- Error while running scan on ZAP Docker HOT 4
- zap-api-scan.py allow to use a URL when overriding hostname (`-O`) HOT 3
- MIssing icons HOT 19
- Check for updates failed HOT 2
- Webpages distinguished by URL fragment (site.com/#/abc) are neither visible nor recorded by ZAP HOT 2
- A Dev Container for ZAP based on the ZAP Stable Dockerfile HOT 3
- SSE add-on should handle empty "id" field more gracefully HOT 14
- Can ZAP docker scan multiple IPs and Ports? HOT 1
- Handle lack of disk space better HOT 4
- cannot close message box "failed to start Chrome browser" (Chrome is installed) HOT 2
- owasp/zap2docker-stable:latest - No manifest file causing build error on Jenkins HOT 7
- Fail to generate pdf report dues to SAXParseException HOT 3
- When i start the zap proxy pods without doing any hit i can see that zap proxy tries hitting some random sites HOT 2
- ZAP gui hanged when opening previous session on Winwows 10 x64 HOT 1
- ZAP 2.14 is not working with Oracle JDK 17 or 21, or with microsoft-openJDK11 but it is working fine with Oracle JDK 11 HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zaproxy.