Skip to content

ascanrulesBeta: Address possible FP in proxy detection rule #5718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

ascanrulesBeta: Address possible FP in proxy detection rule #5718

wants to merge 2 commits into from

Conversation

kingthorin
Copy link
Member

@kingthorin kingthorin commented Sep 9, 2024
edited
Loading

Overview

  • CHANGELOG > Added change note.
  • ProxyDisclosureScanRule > Added condition to skip messages if they have evidence content to start with. Removed misleading Attack text from the Alert.
  • ProxyDisclosureScanRuleUnitTest > Added a test to assert the new behavior.

Related Issues

Fixes zaproxy/zaproxy#8556

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

@kingthorin kingthorin force-pushed the prxy-xfwd branch 2 times, most recently from e0c29af to 44b000e Compare September 9, 2024 11:34
@kingthorin
Copy link
Member Author

Tweaked

thc202
thc202 reviewed Sep 9, 2024
View reviewed changes
.../src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRuleUnitTest.java Outdated
Comment on lines 75 to 76
"X-Forwarded-For: 76.69.54.171", "X-Forwarded-For: 127.0.0.1",
"X-Forwarded-Host: api.test.glaypen.garnercorp.com", "X-Forwarded-Port: 443",
Copy link
Member

@thc202 thc202 Sep 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better remove public IPs and domains, there are also headers being tested that wouldn't raise an alert anyway. It's missing Via (for completeness). Also, would be good that the server behaviour did raise an alert if it wasn't for the evidence being already present.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test is still not testing the expected code.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I glossed over your second point about the served content. Will adjust.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do plan to work through this, but it's gonna take a bit longer to get the nano handler setup for all the pre-checks.

@thc202 thc202 mentioned this pull request Sep 9, 2024
Merged
5 tasks
@kingthorin kingthorin force-pushed the prxy-xfwd branch 2 times, most recently from 824b5df to f62d8fa Compare September 10, 2024 00:44
@kingthorin
Copy link
Member Author

Got all those I think.

@kingthorin kingthorin added the waiting-for:author This issue or PR is currently waiting for input or changes from the original submitter label Sep 11, 2024
@psiinon
Copy link
Member

psiinon commented Jun 20, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsb1a0c161-43f9-493d-9172-cd09dc06400a

New Issues (5)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2025-7783 Npm-form-data-4.0.0
detailsRecommended version: 4.0.4
Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: Ofwkww3S5TpxOrfY%2FQlOZvQceB1wVeAdncTlDhQvj40%3D
Vulnerable Package
CRITICAL CVE-2025-7783 Npm-form-data-3.0.1
detailsRecommended version: 3.0.4
Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: YgMuZ7zdKu58F5IvrwquasRSlXwdGMBc598%2FIdc8XHg%3D
Vulnerable Package
LOW CVE-2025-7339 Npm-on-headers-1.0.2
detailsRecommended version: 1.1.0
Description: The on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions prior to 1.1.0 may result in r...
Attack Vector: LOCAL
Attack Complexity: LOW

ID: TX%2FqRjLEx%2BNjNuXZ6DCnAffkaBKJ2XgJ87NkP%2FqpW3g%3D
Vulnerable Package
LOW Log_Forging /addOns/exim/src/main/java/org/zaproxy/addon/exim/har/HarUtils.java: 148
detailsMethod at line 148 of /addOns/exim/src/main/java/org/zaproxy/addon/exim/har/HarUtils.java gets user input from element getHeaders. This element’...
ID: H8Mkbf5C3FxJfvGer8egrXfEHEM%3D
Attack Vector
LOW Log_Forging /addOns/exim/src/main/java/org/zaproxy/addon/exim/har/HarUtils.java: 148
detailsMethod at line 148 of /addOns/exim/src/main/java/org/zaproxy/addon/exim/har/HarUtils.java gets user input from element getHeaders. This element’...
ID: xGNeFMn6wYcB801pmPCbdXYgerI%3D
Attack Vector

@kingthorin
ascanrulesBeta: Address possible FP in proxy detection rule
b9b3226 
- CHANGELOG > Added change note.
- ProxyDisclosureScanRule > Added condition to skip messages if they
have evidence content to start with. Removed misleading Attack
text from the Alert.
- ProxyDisclosureScanRuleUnitTest > Added a test to assert the new
behavior.

Signed-off-by: kingthorin <[email protected]>
@kingthorin kingthorin marked this pull request as draft July 10, 2025 14:32
@kingthorin
Tests
ddbf3f4 
Signed-off-by: kingthorin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thc202 thc202 thc202 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
backlog waiting-for:author This issue or PR is currently waiting for input or changes from the original submitter
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ProxyDisclosureScanRule reporting is confusing for cases where servers freely offer X-Forwarded-* text
3 participants
@kingthorin @psiinon @thc202