search

intruxxer / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

New Attack Plugin - Quotation Encoding #71

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
I may be wrong, but I believe that the majority of XSS attacks take the form of 
single quote values to attempt to escape field entries. Likewise, SQL Injection 
typically assumes ' between field elements.

I propose that the following may be suitable variation on all attacks that make 
use of quotation marks as part of their attack vectors.

 * Standard double quote value (")
 * URL Encoded %22
 * HTML Encoded - " ' or  
 * Byte encoded \22 
 * Slash Escaped \" or \'
 * Double Entry '' ""

I would further suggest that the activation of these values is user selectable, 
and perhaps expandable via the Scan Policy interface.

This applies to both attempts to escape html fields and to values within 
javascript methods.

Original issue reported on code.google.com by warmfus...@gmail.com on 17 Mar 2011 at 12:55

GoogleCodeExporter commented 9 years ago 
Yes, that makes sense.
I'd like the default to be to try all variants, but with the option for users 
to disable variants if they want to.
We need to perform a thorough review of the active scan rules, and probably to 
restructure and enhance them.
From the survey results to date the active scanner is clearly something a lot 
of people want us to focus on.

Original comment by psii...@gmail.com on 17 Mar 2011 at 1:06