ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

TestInfoSessionIdURL - Referer expose session ID - False Positive #1594

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following URL is flagged as a "Referer expose session ID"

https://domain.com/Account/LogOn?ReturnUrl=/BusinessTeam/GetSiteAdmins?businessI
d=0&businessId=0

The reason is that the word "businessId" matches the regex search for the key 
"sid", as the last three letters of "businessId" are "sid", and the regex isn't 
case sensitive. 

The code that handles this is TestInfoSessionIdURL.java

Please provide any additional information below.

The regex should ensure that the parameter starts after either an '&' or a '?' 
to avoid similar false positives with any word that ends with the letters "sid".

Original issue reported on code.google.com by kingtho...@gmail.com on 9 Apr 2015 at 7:51

GoogleCodeExporter commented 9 years ago
https://groups.google.com/forum/#!topic/zaproxy-develop/i6Z43TEFmOU

Original comment by kingtho...@gmail.com on 9 Apr 2015 at 7:52

GoogleCodeExporter commented 9 years ago
the "Session ID in URL rewrite" has this same issue BTW

Original comment by gra...@bizible.com on 9 Apr 2015 at 8:55

GoogleCodeExporter commented 9 years ago
Thanks Graham. 

Original comment by kingtho...@gmail.com on 12 Apr 2015 at 8:01

GoogleCodeExporter commented 9 years ago
Dev ref:
https://code.google.com/p/zaproxy/source/browse/trunk/src/org/parosproxy/paros/n
etwork/HttpMessage.java#555

Original comment by kingtho...@gmail.com on 13 Apr 2015 at 2:20

GoogleCodeExporter commented 9 years ago
Dev ref:
https://code.google.com/p/zap-extensions/source/browse/trunk/src/org/zaproxy/zap
/extension/pscanrules/TestInfoSessionIdURL.java

Original comment by kingtho...@gmail.com on 22 Apr 2015 at 1:46

GoogleCodeExporter commented 9 years ago
ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18