Closed globeone closed 2 years ago
Can you check if the RetireJS add-on reports this? https://www.zaproxy.org/docs/desktop/addons/retire.js/ The Dangerous JS Functions rule will not have the context to understand that its AngularJS...
To be clear the Alert you quoted is about the use of that specific function, the place it was identified just happens to be in an angular JS file, NOT use of AngularJS itself.
@psiinon I've just checked the upstream data file, I don't see anything about EoL for AngularJS. I'll open an issue.
I've also created an upstream PR for the mentioned CVE: https://github.com/RetireJS/retire.js/pull/386
Thanks, I get lost in the complexity of what detects what sometimes.
@globeone could you check zaproxy/zap-extensions#3743 ?
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Describe the bug
When passive scanning for Dangerous JavaScript Functions ZAP reports back that it found AngularJS but marks it as low. AngularJS was deprecated December 31st, 2021 and no longer receives security patches or updates. There are known exploits for AngularJS such as stealing data using the $SCOPE variable. When AngularJS is found then ZAP should report this as high and give the advice to upgrade to regular Angular or another framework like React.
Steps to reproduce the behavior
Enter a URL and do a manual explore when the Passive Scanner comes across AngularJS it will flag it as Low risk, Low confidence
Expected behavior
When finding a javascript library with many known vulnerabilities ZAP should flag this as high risk, high confidence
Software versions
OWASP ZAP Version: D-2022-08-01
Installed Add-ons: [[id=accessControl, version=8.0.0], [id=alertFilters, version=14.0.0], [id=ascanrules, version=47.0.0], [id=ascanrulesAlpha, version=38.0.0], [id=ascanrulesBeta, version=42.0.0], [id=attacksurfacedetector, version=1.1.4], [id=authstats, version=2.0.0], [id=automation, version=0.17.0], [id=bruteforce, version=12.0.0], [id=callhome, version=0.5.0], [id=commonlib, version=1.10.0], [id=coreLang, version=16.0.0], [id=custompayloads, version=0.11.0], [id=diff, version=12.0.0], [id=directorylistv1, version=6.0.0], [id=directorylistv2_3, version=4.0.0], [id=directorylistv2_3_lc, version=4.0.0], [id=domxss, version=13.0.0], [id=encoder, version=0.7.0], [id=exim, version=0.3.0], [id=fileupload, version=1.1.0], [id=formhandler, version=6.0.0], [id=fuzz, version=13.7.0], [id=gettingStarted, version=14.0.0], [id=graaljs, version=0.3.0], [id=graphql, version=0.10.0], [id=help, version=15.0.0], [id=hud, version=0.14.0], [id=imagelocationscanner, version=3.0.0], [id=invoke, version=12.0.0], [id=jsonview, version=2.0.0], [id=network, version=0.3.0], [id=oast, version=0.11.0], [id=onlineMenu, version=10.0.0], [id=openapi, version=28.0.0], [id=plugnhack, version=13.0.0], [id=portscan, version=10.0.0], [id=pscanrules, version=43.0.0], [id=pscanrulesAlpha, version=35.0.0], [id=pscanrulesBeta, version=30.0.0], [id=quickstart, version=34.0.0], [id=reflect, version=0.0.11], [id=regextester, version=2.0.0], [id=replacer, version=10.0.0], [id=reports, version=0.16.0], [id=requester, version=7.0.0], [id=retest, version=0.3.0], [id=retire, version=0.13.0], [id=reveal, version=5.0.0], [id=revisit, version=4.0.0], [id=scripts, version=31.0.0], [id=selenium, version=15.10.0], [id=sequence, version=7.0.0], [id=soap, version=14.0.0], [id=spiderAjax, version=23.8.0], [id=sqliplugin, version=15.0.0], [id=tips, version=10.0.0], [id=tokengen, version=15.0.0], [id=treetools, version=8.0.0], [id=wappalyzer, version=21.11.0], [id=webdriverlinux, version=42.0.0], [id=webdrivermacos, version=43.0.0], [id=webdriverwindows, version=42.0.0], [id=websocket, version=27.0.0], [id=zest, version=36.0.0]]
Operating System: Windows 10 Architecture: amd64 Java Version: Eclipse Adoptium 17.0.3 System's Locale: en_US Display Locale: en_GB Format Locale: en_US Default Charset: UTF-8 ZAP Home Directory: C:\Users\$USER\OWASP ZAP_D\ ZAP Installation Directory: C:\Users\$USER\LocalPrograms\ZAPWeekly\ZAP_D-2022-08-01.\ Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
Screenshots
Errors from the zap.log file
This is not an error from the logs but a incorrect classification.
Additional context
Here is the blogpost van Angular explaining the deprecation and that AngularJS is no longer supported https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a
Here are the upgrade instructions to upgrade angular https://angular.io/guide/upgrade
Here is one of the CVE's in AngularJS CVE-2019-14863 There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Would you like to help fix this issue?