The report is not generated when a "Parameter tampering" alert with "NULL" character exists

[GoogleCodeExporter]

What steps will reproduce the problem?
1. generate html/xml report
2. choose location
3. save

What is the expected output? What do you see instead?
I expect to see a report of some sort open up in Firefox.  

Instead, I receive a message stating that "Firefox can't find the file at 
/zap/test.html/xml"

What version of the product are you using? On what operating system?
I am using ZAP 1.3.3 on an Ubuntu 10.10 install, I scanned a moth webapp server 
vmware image.  The scan seemed to run fine.

Please provide any additional information below.

We are new to this project and are looking at using it as our web app scanner.  

Thank you,

Original issue reported on code.google.com by agsherlo...@gmail.com on 11 Oct 2011 at 1:34

[GoogleCodeExporter]

Could you confirm that the file was created?
The "/xml" at the end of the path is correct?

Original comment by THC...@gmail.com on 11 Oct 2011 at 6:03

[GoogleCodeExporter]

I also ran into this issue. I was able to duplicate it in windows and in 
different linux distros (Centos 6, Bactrack 5r1, Ubuntu 10.04,11.04, Debian 6), 
using the Moth VM from Bonsai InformationSecurity. 

I spider and then I scan with all options on. The log shows that the scanner 
finished ok. I try to save and I get the error message in my browser. No neww 
entry appears in the log. 

A friend of mine was able to make it work by disabling the "parameter 
tampering" option  in the injection policy module. I tested zap without that 
option and everything worked. I then scanned with only the "parameter 
tampering" option and I wasn't able to create a report. 

I hope this can help in finding out what the problem is.

Original comment by jrs.pie...@gmail.com on 25 Oct 2011 at 5:14

[GoogleCodeExporter]

Steps to reproduce the problem with moth:
 - Run ZAP.
 - Access the URL: http://<moth-ip-address>/w3af/audit/preg_replace/preg_section_regex.php?search=
 - Start the active scan on <moth-ip-address> with the option "Parameter tampering" enabled
 - Generate a report.

Exception when choosing the option to generate a report:

org.xml.sax.SAXParseException: An invalid XML character (Unicode: 0x0) was 
found in the element content of the document.
    at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
    at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at org.parosproxy.paros.extension.report.ReportGenerator.stringToHtml(ReportGenerator.java:65)
    at org.parosproxy.paros.extension.report.ReportLastScan.generate(ReportLastScan.java:144)
    at org.parosproxy.paros.extension.report.ReportLastScan.generateHtml(ReportLastScan.java:186)
    at org.parosproxy.paros.extension.report.ExtensionReport$1.actionPerformed(ExtensionReport.java:93)
    at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
    at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
    at javax.swing.AbstractButton.doClick(Unknown Source)
    at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
    at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
    ...
    at java.awt.EventDispatchThread.run(Unknown Source)

Original comment by THC...@gmail.com on 26 Oct 2011 at 1:55

• Changed title: The report is not generated when a "Parameter tampering" alert with "NULL" character exists

[GoogleCodeExporter]

Original comment by THC...@gmail.com on 26 Oct 2011 at 1:57

• Changed state: Accepted

[GoogleCodeExporter]

For a fix, how about enhancing ReportGenerator.entityEncode to encode null 
characters as something safe, like %00
Maybe we should do that for all non standard chrs?

Original comment by psii...@gmail.com on 3 Nov 2011 at 4:44

[GoogleCodeExporter]

In the "Alerts" tab, when you choose an alert from "Parameter tampering", that 
has a "NULL" character, the "Parameter:" field shows "param= ". The empty space 
is the "NULL" character, but it's not visible.

You have to look into the URI, in the "Alerts" tree, to see the character (it 
is encoded).

Apart of that I see no problem in encoding the characters in 
ReportGenerator.entityEncode, at least to prevent this issue.

Original comment by THC...@gmail.com on 3 Nov 2011 at 7:49

[GoogleCodeExporter]

Thought we could use someting sensible, like:
StringEscapeUtils.escapeXml(str);
but it turns out this just stops outputting a null chr:(
So the best option might be to still use it but to first replace nulls with %00
I'll implement that.

Original comment by psii...@gmail.com on 4 Nov 2011 at 1:49

[GoogleCodeExporter]

Original comment by psii...@gmail.com on 4 Nov 2011 at 1:52

• Changed state: Started

[GoogleCodeExporter]

Original comment by psii...@gmail.com on 4 Nov 2011 at 7:07

• Changed state: Committed

[GoogleCodeExporter]

Original comment by psii...@gmail.com on 8 Apr 2012 at 1:19

• Changed state: Fixed