Closed GoogleCodeExporter closed 9 years ago
Can you let us know the (sanitized) format of the URL?
ZAP detects certain parameter formats 'by default'.
Other less common formats have to be configured - your scenario might be one of
those.
Or it could just be a bug of course ;)
Original comment by psii...@gmail.com
on 5 Feb 2015 at 1:07
The URL is : www.example.com/news.html
XSS vulnerability exists with : www.example.com/news.html?page=VAR
IN "www.example.com/news.html" web page, we can't access to a link like
"www.example.com/news.html?page=VAR" because the parameter "page", which allows
to navigate in various page of news, is not use and not accessible inside this
web page because we have only a few news on one single page. BUT this parameter
"page" exists by default so we can for example accessing to this link :
"www.example.com/news.html?page=1" which is the same page that
"www.example.com/news.html" and in the other hand
"www.example.com/news.html?page=X" with X>=2 doesn't exist.
AND, there is a XSS vulnerability like
"www.example.com/news.html?page=<script>alert('hack');</script>"
Original comment by hayley.p...@gmail.com
on 5 Feb 2015 at 5:36
So there are no links containing a 'page' parameter?
That will be a problem - we _could_ try a variety of common parameter names,
but where do you stop?
Have you tried the Brute Force scanner? I cant remember off hand if that tries
parameters like that.
Original comment by psii...@gmail.com
on 5 Feb 2015 at 6:25
Yes there are no links.
Yes I understand but ZAP should test at least some of them (like Qualys Guard
maybe ?).
Yes the only way to find this XSS is to give the "page" paramater to ZAP
manually.
Original comment by hayley.p...@gmail.com
on 6 Feb 2015 at 8:54
Happy to accept this as an enhancement request.
The list of params would need to be user configurable, but also with sensible
defaults.
Not sure what these should be however - suggestions appreciated.
Also note that the more parameters we test the longer scans take. For large
apps this can be very significant.
Maybe this would be best as a new add-on that tests a user specified set of
parameter names and reports which ones appear to actually make a difference.
Original comment by psii...@gmail.com
on 6 Feb 2015 at 9:21
ZAP has been migrated to github
This issue will be on github issues with the same ID:
https://github.com/zaproxy/zaproxy/issues
Original comment by psii...@gmail.com
on 5 Jun 2015 at 9:17
Original issue reported on code.google.com by
hayley.p...@gmail.com
on 4 Feb 2015 at 5:29