ascanrules: sqli heuristic to fix 3xx redirect false positives #5975
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 task
This comment has been minimized.
This comment has been minimized.
psiinon
force-pushed
the
sqli-redirect-locations-false-positive
branch
from
364067d to
b4f18a0
Compare
psiinon
approved these changes
Apr 9, 2025
psiinon
force-pushed
the
sqli-redirect-locations-false-positive
branch
from
b4f18a0 to
75319bb
Compare
kingthorin
reviewed
Apr 9, 2025
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java
Show resolved
Hide resolved
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java
Outdated
Show resolved
Hide resolved
psiinon
force-pushed
the
sqli-redirect-locations-false-positive
branch
from
75319bb to
4f7162d
Compare
kingthorin
approved these changes
Apr 9, 2025
Signed-off-by: Simon Bennetts <[email protected]>
psiinon
force-pushed
the
sqli-redirect-locations-false-positive
branch
from
4f7162d to
d58bc10
Compare
thc202
approved these changes
Apr 10, 2025
|
Thank you both! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Fix the sql injection false positive case described in zaproxy/zaproxy#8651. The short summary is that the expression based test sends 3 requests: normal, modified, and confirm. A sql injection is suspected if normal and modified return the same response, but confirm returns a different response. The response comparison logic looks only at the response body. In the case of 3xx redirects the bodies can be exactly the same when the location headers are different. This change adds a heuristic for checking the location headers and treating different 3xx redirects as different responses, even when the bodies are the same.
This change is built on top of #5974. Once that one is done I'll rebase, squash, and sign-off the resulting commit.
Related Issues
Fix zaproxy/zaproxy#8651.
Checklist
./gradlew spotlessApplyfor code formattingFor more details, please refer to the developer rules and guidelines.