False Negative XSS on injection outside of HTML tags

[GoogleCodeExporter]

I believe there is a False Negative for an XSS issues when the injection is 
echoed but not inside of some HTML tag  - I hope I'm not missing something 
obvious such as a tool setting etc. 

Schematically speaking, when the injection is placed here:
<B>$injecton</B> it is flagged, but if it happens to be after the tag close: 
<B></B>$injection - then (I believe) it isn't.

In terms of tests and illustration - if you don't mind crossing a "language 
border", please give a try to the Webseclab: http://github.com/yahoo/webseclab 
(full disclosure: I'm the author and custodian of the package).  

It is written in Go for ease of installation - you would need:
- install Go from https://golang.org/dl/ - one of the highlighted packages
- make sure "go" is in the PATH by adding /usr/local/go/bin (on Mac/Linux)
- set up the GOPATH workspace: mkdir -p ~/go && export GOPATH=~/go 
(http://golang.org/doc/install and http://golang.org/doc/code.html have more 
information on the setup if needed)

After that you should be able to install and run Webseclab:
go get -v github.com/yahoo/webseclab/... && $GOPATH/bin/webseclab -http=:8088
if everything goes well, it should serve Websecalb on http://127.0.0.1:8088 
(with no -http parameter, the default port is 8080 but you probably have ZAP 
running there).

Now if everything goes well, you can try running ZAP on the following two URLs:
http://127.0.0.1:8088/xss/reflect/basic?in=2change
http://127.0.0.1:8088/xss/reflect/basic_in_tag?in=2change

I see that ZAP flags XSS for the second one but not the first.

Alternatively, take a look or run with Go (go run <filename>) the following two 
short programs echoing the "raw" URL path:
https://gist.github.com/dmitris/7f7cf36bd43aae713b89 - injection inside tags
https://gist.github.com/dmitris/2dbecd24facaeb79b500 -- injection outside of 
tags

I was getting ZAP XSS alert for the first but not the second even though both 
are vulnerable.

What steps will reproduce the problem?
1.
Run ZAP on /xss/reflect?in=x test

What is the expected output? What do you see instead?
Same as for  /xss/reflect/basic_in_tag?in=x test - XSS injection being flagged. 
 Currently ZAP does not show any XSS alerts.

(For the basic_in_tag?in= test I'm getting the following URL:
http://127.0.0.1:8088/xss/reflect/basic_in_tag?in=%3C%2Fb%3E%3Cscript%3Ealert%28
1%29%3B%3C%2Fscript%3E%3Cb%3E )

What version of the product are you using? On what operating system?
ZAP 2.4.0 on Mac OS X 10.10.3

Please provide any additional information below.
Would you consider this case unrealistically minimalistic? (this may be a valid 
point if that issue has never came up in the real scans)

Original issue reported on code.google.com by dsavi...@gmail.com on 12 May 2015 at 2:06

[GoogleCodeExporter]

For reference and comparison - Arachni scanner does flag XSS on the Webseclab's 
/xss/reflect/basic?in= test (screenshot attached).

Original comment by dsavi...@gmail.com on 12 May 2015 at 8:20

Attachments:

• [Screen Shot 2015-05-12 at 10.18.00 PM.png](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-1632/comment-1/Screen Shot 2015-05-12 at 10.18.00 PM.png)

[GoogleCodeExporter]

Thanks for reporting this, and for providing so much detail :D
I'm guessing you're @dimisec?
I'm a big fan of tools like webseclab, and definitely want to use them much 
more for testing ZAP.
Ideally as part of CI (once I've set up the CI server again:/)
I'll DM you on twitter ;)

Original comment by psii...@gmail.com on 13 May 2015 at 9:18

• Changed state: Accepted

[GoogleCodeExporter]

Yes, I'm @dimisec (Twitter) = dmitris on GitHub :)

I have a couple more things from the Webseclab - just wanted to make sure I'm 
not missing the proper way to scan such as options, profile settings etc.

I would love to help with integrating Webseclab into the ZAP CI build - also if 
there are other tests that would be helpful to add, or bugs in the existing 
ones, please let me know (https://github.com/yahoo/webseclab/issues or by email 
/ Twitter)

Dmitry

Original comment by dsavi...@gmail.com on 13 May 2015 at 10:38

[GoogleCodeExporter]

ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18

• Changed state: Done