search

zaproxy / zaproxy

The ZAP core project
https://www.zaproxy.org
Apache License 2.0
12.21k stars 2.21k forks source link

Source Code Disclosure - File Inclusion #8517

Open jitendra-90 opened 1 week ago

jitendra-90 commented 1 week ago

Describe the bug

I am not able to replicate the issue. there in reponse getting not found or bad request, then how can we say that this "Source Code Disclosure - File Inclusion" alert. Request: GET https://pentestingapp.azurewebsites.net/.idea HTTP/1.1 host: /.idea User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Cookie: ARRAffinity=92ca53ad8db4fbb93d4d3b7d8ab54dcf8ffecb2d731f25b0e91ad575d7534c3f; ARRAffinitySameSite=92ca53ad8db4fbb93d4d3b7d8ab54dcf8ffecb2d731f25b0e91ad575d7534c3f; UserName=jitedra; password=123456; .AspNetCore.Antiforgery.9fXoN5jHCXs=CfDJ8M0wyS_0YC9LvkHdMgGLGWXc6EiUicAxqSP_BzcW1BoAEyecLhX0lQOeKRXJ112inQn6ZtnJfRMqAAM_SgjJlqArsuyfnAniwOcdAkl1ztez7-m1yHX9FwEIy6_aPhn1Z2rQuQT8S-JNCeKe4cSW22Y Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=1 x-zap-scan-id: 43

Response: HTTP/1.1 400 Bad Request Content-Length: 0 Connection: close Date: Thu, 13 Jun 2024 15:25:31 GMT

Steps to reproduce the behavior

not reproducible

Expected behavior

this alert should not be come

Software versions

2.15.0

Screenshots

image

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

kingthorin commented 1 week ago

Ummm you seem to be leaking passwords in cookies.

kingthorin commented 1 week ago

The issue here is more that an empty response is triggering the alert.

Any status code could still be leaking the actual info, non-compliant behaviour is seen all the time.

jitendra-90 commented 1 week ago

image this is the alert detail, How can I reproduce this, while this type URL is not existed in the whole application. The same alert is also coming in other applications on the basis of "/"

kingthorin commented 6 days ago

You seem to have header injection enabled. So this occurred when comparing the differences between the original, and injected value, and a control value when manipulating the request's host header. (Same for #8519)

jitendra-90 commented 6 days ago

How can I solve it?

kingthorin commented 6 days ago

It's likely a false positive due to unhandled empty response (in the scan rule).