SasanLabs / VulnerableApp

OWASP VulnerableApp Project: For Security Enthusiasts by Security Enthusiasts.
https://sasanlabs.github.io/VulnerableApp/
Apache License 2.0
300 stars 407 forks source link

Add a new Level in Persistent XSS vulnerability which rely on untrusted Path Param instead of Query Param #232

Open preetkaran20 opened 4 years ago

preetkaran20 commented 4 years ago

Is your feature request related to a problem? Please describe. There is one usecase we got from the https://github.com/zaproxy/zap-extensions/pull/2443 where untrusted input is part of Path Param so we need to add such usecase too as such usecases are tricky to handle for scanners and can be a important for them.

Describe the solution you'd like Go to https://github.com/SasanLabs/VulnerableApp/tree/master/src/main/java/org/sasanlabs/service/vulnerability/xss/persistent and add a new method which depends on the path param instead of query param for comments.

MadhuMadhavanSridhar commented 3 years ago

Hey preetkaran20 Good day! Can I work on this?

preetkaran20 commented 3 years ago

Hi @MadhuMadhavanSridhar ,

Yeah sure you can pick this enhancement. However it requires the the framework change. Please go through it and if you have a good idea then it will be great.

thanks, Karan

preetkaran20 commented 3 years ago

@MadhuMadhavanSridhar Please go through following links:

  1. https://sasanlabs.github.io/VulnerableApp/DesignDocumentation.html
  2. https://www.youtube.com/watch?v=AjL4B-WwrrA&ab_channel=OwaspVulnerableApp

Also once you setup the VulnerableApp in your local dev environment then you need to navigate to XSS vulnerability , fill some details and then do the action, you will see that information is sent in query param and then same information can be sent in path param too, right ? so this issue is to send that information in path param.

Above i had mentioned that it requires framework changes, that is because the way we build the URL it is something like /<VulnerabilityType>/<Level> and this is how we understand the exact controller method but this entire url is build out of the box using our custom annotations like VulnerableRestController etc and hence Path params are not easy to handle.

Please let me know in case you require more information.

thanks, Karan