Font file string intepreted as Drupal Hash - Githubissues

zaproxy / community-scripts

A collection of ZAP scripts and tips provided by the community - pull requests very welcome!

Apache License 2.0

786 stars 238 forks source link

Font file string intepreted as Drupal Hash #460

Open fzx404 opened 3 months ago

fzx404 commented 3 months ago

Describe the bug

False Positive:

Requires Passive Scanning Alpha in order to have the "Information Disclosure - Drupal Hash (Passive 100010). A woff2 font file (and by extent, other files too?) content may contains strings that would trigger the regex https://github.com/zaproxy/community-scripts/blob/bf5135a7cd2ebf9994e28ae354a49633c40abd6c/passive/Find%20Hashes.js#L60

Here is what triggered this regex in my case : $½$u°+ºº¥nu÷{ûJ0»2¼ó¬$Óë¾}'d>æüºJVõmMdÒöVU< As far as I know Drupal hashes are alphanumeric only. Maybe a more restrictive regex like some others in the same file could do the job.

Steps to reproduce the behavior

Have ZAP passive scan analyze a response with the content of a woff2 font file.
If the file happens to contain a string starting with $ followed by a char, then another $ , and whatever 52 other char then the request is going to be tagged as "Information Disclosure - Drupal Hash".

Expected behavior

As the content of a font file has nothing to do with a Drupal hash, this alert should not be raised.

Software versions

ZAP 2.15.0 Desktop

Screenshots

No response

Errors from the zap.log file

No response

Additional context

Passive Scanner Alpha v42.0.0

Would you like to help fix this issue?

[ ] Yes

kingthorin commented 3 months ago

With some quick research I did find that it always literally starts with $S followed to upper/lower alpha-numeric plus /. 52 char. So the regex could be better, there's probably a number of content/file types that can be ignored or excluded like the core hash rule.