XSS False Negative on script injections into the Referer HTTP header

[GoogleCodeExporter]

What steps will reproduce the problem?
1.
Install and launch Webseclab - installation described in 
https://code.google.com/p/zaproxy/issues/detail?id=1632&sort=-id or on the 
project README, https://github.com/yahoo/webseclab  
2.
Scan the /xss/reflect/refer1 entrypoint with zaproxy - ex. 
http://127.0.0.1:8088/xss/reflect/refer1 if you have Webseclab running on 
127.0.0.1:8088

What is the expected output? What do you see instead?
The /xss/reflect/refer1 entrypoint is vulnerable to injection of malicious 
scripting content via the Referer header, therefore ZAP should flag it.  But 
output does not show any Cross-Site Scripting findings.  Screenshot is 
attached.  (Please let me know if I missed a setting that needs to be activated 
to do HTTP headers fuzzing).

What version of the product are you using? On what operating system?
zaproxy 2.4.0 Mac OS X 10.10.3

Please provide any additional information below.

The Arachni Scanner does flag the injection when scanning using the Cross-Site 
Scripting profile with Header injection activated (need to edit the Cross-Site 
Scripting profile) - a screenshot is attached.

Curl trace showing the script from the Referer header echoed in the body:
$ curl -H "Referer: foobar<script>alert(123)</script>" 
http://127.0.0.1:8088/xss/reflect/refer1

<!DOCTYPE html>
<html><head><title>Unfiltered echoing of injection into Referer header 
(refer.1)</title>
</head><body>
You have arrived following the referal of the site: 
foobar<script>alert(123)</script> (unescaped version: 
foobar<script>alert(123)</script>)
</body></html>

Original issue reported on code.google.com by dsavi...@gmail.com on 15 May 2015 at 8:58

Attachments:

• [Screen Shot 2015-05-15 at 10.53.15.png](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-1639/comment-0/Screen Shot 2015-05-15 at 10.53.15.png)
• [Screen Shot 2015-05-15 at 10.54.08.png](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-1639/comment-0/Screen Shot 2015-05-15 at 10.54.08.png)

[GoogleCodeExporter]

ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18

• Changed state: Done