XSS False Negative on double-encoded script injections

[GoogleCodeExporter]

What steps will reproduce the problem?
1.
Install and launch Webseclab - installation described in 
https://code.google.com/p/zaproxy/issues/detail?id=1632&sort=-id or on the 
project README, https://github.com/yahoo/webseclab  
2.
Scan the /xss/reflect/doubq?in=x entrypoint with zaproxy - 
ex.http://127.0.0.1:8088/xss/reflect/doubq1?in=if you have Webseclab running on 
127.0.0.1:8088

What is the expected output? What do you see instead?
The /xss/reflect/doubq entrypoint is vulnerable to injection of double-encoded 
html tags - for example, data that you get when  doing URI encoding twice:

encodeURIComponent(encodeURIComponent('<xss>')) => 
%253Cxss%253E

An attack payload for this case can be obtained with:
encodeURIComponent(encodeURIComponent('<script>alert(123)</script>')) =>
"%253Cscript%253Ealert(123)%253C%252Fscript%253E"

I think ZAP should flag such injections.  They do occur in practice when the 
server applies unencoding twice (for example, with input passing through 
several layers, difference function calls etc.)

Currently ZAP does not show any Cross-Site Scripting findings.  Screenshot is 
attached.  (Please let me know if I missed a setting that needs to be activated 
to do this type of fuzzing).

What version of the product are you using? On what operating system?
zaproxy 2.4.0 Mac OS X 10.10.3

Please provide any additional information below.

An equivalent issue was raised with the Arachni scanner:
https://github.com/Arachni/arachni/issues/581

and the detection of this vulnerability was added (currently in the 
experimental branch).

Curl trace showing the script from the injected script in the body
$ curl -s 
http://127.0.0.1:8088/xss/reflect/doubq1?in="%253Cscript%253Ealert(123)%253C%252
Fscript%253E" | grep -v -e '^$'
<!DOCTYPE html>
<html><head><title>Double-Encoded tags injection (doubq.1)</title>
</head><body>
Hello!<BR>
The value of the cgi parameter &quot;in&quot; is: <script>alert(123)</script>
<p>
This test echos unencoded version of double-encoded tags.
</body></html>

Original issue reported on code.google.com by dsavi...@gmail.com on 15 May 2015 at 9:20

Attachments:

• [Screen Shot 2015-05-15 at 11.18.50.png](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-1640/comment-0/Screen Shot 2015-05-15 at 11.18.50.png)

[GoogleCodeExporter]

ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18

• Changed state: Done