ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

URL parameters research / discovering #1523

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. Just an active/passive scan of web page of news
2. There is just one page of news inside
3. But a GET parameter exists : "page"
4. And ZAP doesn't test any default name parameter

What is the expected output? What do you see instead?

Discovering of XSS vulnerabilities in the URL with the "page" parameter but 
there is nothing whereas Qualys Guard find them.

What version of the product are you using? On what operating system?

ZAP 2.3.1
Windows 7 64 bits

Please provide any additional information below.

Original issue reported on code.google.com by hayley.p...@gmail.com on 4 Feb 2015 at 5:29

GoogleCodeExporter commented 9 years ago
Can you let us know the (sanitized) format of the URL?
ZAP detects certain parameter formats 'by default'.
Other less common formats have to be configured - your scenario might be one of 
those.
Or it could just be a bug of course ;)

Original comment by psii...@gmail.com on 5 Feb 2015 at 1:07

GoogleCodeExporter commented 9 years ago
The URL is : www.example.com/news.html
XSS vulnerability exists with : www.example.com/news.html?page=VAR

IN "www.example.com/news.html" web page, we can't access to a link like 
"www.example.com/news.html?page=VAR" because the parameter "page", which allows 
to navigate in various page of news, is not use and not accessible inside this 
web page because we have only a few news on one single page. BUT this parameter 
"page" exists by default so we can for example accessing to this link : 
"www.example.com/news.html?page=1" which is the same page that 
"www.example.com/news.html" and in the other hand 
"www.example.com/news.html?page=X" with X>=2 doesn't exist.
AND, there is a XSS vulnerability like 
"www.example.com/news.html?page=<script>alert('hack');</script>"

Original comment by hayley.p...@gmail.com on 5 Feb 2015 at 5:36

GoogleCodeExporter commented 9 years ago
So there are no links containing a 'page' parameter?
That will be a problem - we _could_ try a variety of common parameter names, 
but where do you stop?
Have you tried the Brute Force scanner? I cant remember off hand if that tries 
parameters like that.

Original comment by psii...@gmail.com on 5 Feb 2015 at 6:25

GoogleCodeExporter commented 9 years ago
Yes there are no links.
Yes I understand but ZAP should test at least some of them (like Qualys Guard 
maybe ?).
Yes the only way to find this XSS is to give the "page" paramater to ZAP 
manually.

Original comment by hayley.p...@gmail.com on 6 Feb 2015 at 8:54

GoogleCodeExporter commented 9 years ago
Happy to accept this as an enhancement request.
The list of params would need to be user configurable, but also with sensible 
defaults.
Not sure what these should be however - suggestions appreciated.
Also note that the more parameters we test the longer scans take. For large 
apps this can be very significant.
Maybe this would be best as a new add-on that tests a user specified set of 
parameter names and reports which ones appear to actually make a difference.

Original comment by psii...@gmail.com on 6 Feb 2015 at 9:21

GoogleCodeExporter commented 9 years ago
ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:17