search

intruxxer / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

No Way to Specify Custom 404 #9

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Scan something that returns custom a 302 to a custom 404 error message.

What is the expected output? What do you see instead?
Lots of False positives, especially when it comes to default files.

What version of the product are you using? On what operating system?
1.0.0. OS doesn't matter.

Please provide any additional information below.

Original issue reported on code.google.com by logicalg...@gmail.com on 6 Oct 2010 at 4:13

GoogleCodeExporter commented 9 years ago 
Completely agree with this - its been on my todo for a while:)
In the next release the brute forcing of files and directories will be handled 
by components from DirBuster, which handles custom 404s much better.
However I think a more generic solution is also required so that custom error 
pages are clearly flagged in the History tab.

Original comment by psii...@gmail.com on 6 Oct 2010 at 5:45

GoogleCodeExporter commented 9 years ago 
If we added handling for definition of custom errors wouldn't every rule have 
to be modified to account for such handling?

Original comment by kingtho...@gmail.com on 6 Jul 2014 at 1:22

GoogleCodeExporter commented 9 years ago 
Yeah, it would be very useful though.
Rules would be able to use SomeClass.is404(url) or similar.
They wouldnt _have_ to, but they would work better if they did...
Note that the custom 404s should be associated with contexts ;)

Original comment by psii...@gmail.com on 7 Jul 2014 at 8:52

GoogleCodeExporter commented 9 years ago 
there is ... ask me !

Original comment by anandkha...@gmail.com on 1 Feb 2015 at 8:23

GoogleCodeExporter commented 9 years ago 
News to me.
Care to elaborate?

Original comment by psii...@gmail.com on 2 Feb 2015 at 8:30

GoogleCodeExporter commented 9 years ago 
https://groups.google.com/d/msg/zaproxy-develop/41FgrOoggAw/HgrnP67rYgEJ

"It's something that would have big impact (from my perspective anyway) and 
could be implemented in phases/waves/

P1
Implement options/configuration pane or dialog.
Implement a isError(response) that checks if one (or more) of the configured 
items flag the response as an error. (This needs to be useable by both active 
and passive scanners.)
Based on simple string matching within responses.
Implement isError(response) checks in 1 or 2 active and passive rules that 
other devs can follow as a template/guide. (Perhaps the Example rules too.)
P2
Extend to handle matching URL patterns (absolute or relative)
P3
Extend to handle regex matching
P4
Implement functionality to update (remove) existing alerts that are affected by 
"new" isError(response) definitions (so that if a user defines a new error 
pattern after having scanned the alert tree is update, removing false positives)
Pn
Implement isError(response) in all relevant active and passive rules.

Why I think this is a great idea: I recently had a ton of false positives 
related to Backup File Disclosure because the server I was testing actually 
replied to requests that were not found with 302 to 
/FileNotFound.aspx?aspxerrorpath=/page_copy.aspx if I could have defined this 
URL or some of the page content as an error page then these false positives 
probably wouldn't have been identified."

Original comment by kingtho...@gmail.com on 12 Feb 2015 at 1:16

GoogleCodeExporter commented 9 years ago

Original comment by kingtho...@gmail.com on 12 Feb 2015 at 4:50