XSS False Positive on injections into script block (Webseclab /xss/reflect/js3_fp?in=)

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1.
Install and launch Webseclab - installation described in 
https://code.google.com/p/zaproxy/issues/detail?id=1632&sort=-id or on the 
project README, https://github.com/yahoo/webseclab  
2.
Scan the /xss/reflect/js3_fp?in=x entrypoint with zaproxy - 
ex.http://127.0.0.1:8088/xss/reflect/js3_fp?in=xyz  if you have Webseclab 
running on 127.0.0.1:8088

What is the expected output? What do you see instead?
The entrypoints implements a False Positive / non-exploitable injection into a 
script block, with the string value in the script block being properly quoted 
and no way to break out of the quoted string context as the html tags (such as 
closing </script>) and quotes are removed.  zaproxy should not flag that 
injection as a Cross-Site Scripting vulnerability as it can be a legitimate way 
to include user input data and can lead to massive noise in the scan results 
(for example, on search results pages etc.)

A similar case is on http://127.0.0.1:8088/xss/reflect/js3_notags_fp?in=xyz 
entrypoint.  A screenshot showing ZAP flagging the non-existing Cross-Site 
Scripting vulnerability is attached.

What version of the product are you using? On what operating system?
OWASP ZAP 2.4.0 on OS X 10.3.3

Please provide any additional information below.

Arachni Scanner correctly does not flag any issues on these _fp (False 
Positive) entrypoints, as seen in the attached screenshots (scanning done using 
the "Cross-Site Scripting" profile).

Original issue reported on code.google.com by dsavi...@gmail.com on 15 May 2015 at 10:20

Attachments:

[Screen Shot 2015-05-15 at 11.59.47.png](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-1641/comment-0/Screen Shot 2015-05-15 at 11.59.47.png)
[Screen Shot 2015-05-15 at 12.01.07.png](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-1641/comment-0/Screen Shot 2015-05-15 at 12.01.07.png)

GoogleCodeExporter commented 9 years ago

bad cut-and-paste of the Sujbect - must be: "False Positive  on injections into 
script block (Webseclab /xss/reflect/js3_fp?in=)"  Is there any way to edit the 
subject?

Original comment by dsavi...@gmail.com on 15 May 2015 at 10:22

GoogleCodeExporter commented 9 years ago

Subject changed :)
Thanks for reporting these issues!

Original comment by psii...@gmail.com on 15 May 2015 at 11:28

Changed title: XSS False Positive on injections into script block (Webseclab /xss/reflect/js3_fp?in=)
Changed state: Accepted

GoogleCodeExporter commented 9 years ago

ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18

Changed state: Done

ashenchowthee / zaproxy

XSS False Positive on injections into script block (Webseclab /xss/reflect/js3_fp?in=) #1641