search

intruxxer / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

Watcher passive check issues #285

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Found a few problems with the 'watcher' passive checks:

The CrossDomainScriptInclusionScanner passive scanner reports problems when 
including scripts that are actually local.
Example that it complains about:
<script type="text/javascript" 
src="/test/yui/build/tabview/tabview.js"></script>

The Information disclosure check causes an NPE:
Scanner Information disclosure - sensitive informations on HTTP Referrer header 
failed on record 10 from History table
java.lang.NullPointerException
    at org.zaproxy.zap.extension.pscan.scanner.InformationDisclosureReferrerScanner.isRequestedURLSameDomainAsHTTPReferrer(InformationDisclosureReferrerScanner.java:67)
    at org.zaproxy.zap.extension.pscan.scanner.InformationDisclosureReferrerScanner.scanHttpRequestSend(InformationDisclosureReferrerScanner.java:45)
    at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(PassiveScanThread.java:110)

The Information disclosure check (and maybe others?) doesnt state which string 
is matched, making it very difficult for users to works out what its 
complaining about.
This should be in the 'other' field.
It also appears to give lots of false positives, but as I cant tell what its 
complaining about I cant be sure :)

Original issue reported on code.google.com by psii...@gmail.com on 19 Mar 2012 at 11:20

GoogleCodeExporter commented 9 years ago 
Another NPE:

Scanner Information disclosure - sensitive informations on HTTP Referrer header 
failed on record 199 from History table
java.lang.NullPointerException
    at org.zaproxy.zap.extension.pscan.scanner.InformationDisclosureReferrerScanner.scanHttpRequestSend(InformationDisclosureReferrerScanner.java:47)
    at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(PassiveScanThread.java:110)

I think line 47 should be:
if (referrer != null && referrer.size() > 0 && referrer.get(0).indexOf("?") > 
0) {

Original comment by psii...@gmail.com on 19 Mar 2012 at 2:38

GoogleCodeExporter commented 9 years ago 
For the CrossDomainScriptInclusionScanner I probably have the answer, just 
waiting for a comment from THC to get it commited.

For the InformationDisclosureReferrerScanner, I have added on line 45 :
msg.getRequestHeader().getHeader(HttpHeader.REFERER)!= null
I think it should correct that.

Original comment by desousa.vitor on 20 Mar 2012 at 10:14