-
-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move time based attacks to their own scan rules #4316
base: main
Are you sure you want to change the base?
Conversation
...rules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleTiming.java
Outdated
Show resolved
Hide resolved
The help and changelogs should be updated. |
I've addressed the renaming and the changelog. As for the help section, I'm not so familiar with this part. Do I just need to make an update the |
The help content, for example for ascanrules: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html Should be similar for alpha and beta add-ons as well. |
The changes need a spotlessApply |
I've updated the help.html of both packages and fixed some merge conflicts. Let me know if this doesn't look right. Thanks! |
...c/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html
Outdated
Show resolved
Hide resolved
...c/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html
Outdated
Show resolved
Hide resolved
* | ||
* ZAP is an HTTP/HTTPS proxy for assessing web application security. | ||
* | ||
* Copyright 2020 The ZAP Development Team |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2022?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this applies to all of the "new" Timing classes? Though I guess addressing it can wait till and be dependant on whether or not we're adding plugin IDs.
Hello. Just wanted to check in and see if there's anything else you want me to address on this PR. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...les/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteTimingScanRule.java
Outdated
Show resolved
Hide resolved
...sAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionScanRule.java
Outdated
Show resolved
Hide resolved
...sAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionScanRule.java
Outdated
Show resolved
Hide resolved
...sAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionScanRule.java
Outdated
Show resolved
Hide resolved
New rules should have new IDs. |
@wapmon Scan rule IDs for the timing rules can be reserved via a PR against: https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md |
@wapmon are you able to finish this and address the conflict? |
@wapmon - I could pick up finishing this, if you don't have time right now. Would that be helpful? I'm looking forward to this change. Thanks for all the work getting it going! |
This will be handled by the core team as discussed in the last team meeting. |
f4bb7b6
to
bff9ea8
Compare
...rules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionTimingScanRule.java
Outdated
Show resolved
Hide resolved
...les/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteTimingScanRule.java
Outdated
Show resolved
Hide resolved
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | |||
## Unreleased | |||
### Changed | |||
- Maintenance changes. | |||
- Move time based attacks to their own scan rules (Issue 7341). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be more explicit and mention the new rules/IDs.
94ca253
to
e749a3d
Compare
Most of the RDMS-specific SQL injection rules were already only doing Time Based, so I simply renamed those. The SqlLite Rule was broken into 2 rules, but the original rule has the union based attack deactivated due to a bug, so it now will not do anything. Signed-off-by: wapmon <wapmon@aol.com>
e749a3d
to
31898a9
Compare
...n/javahelp/org/zaproxy/zap/extension/ascanrulesAlpha/resources/help/contents/ascanalpha.html
Show resolved
Hide resolved
.../src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionTimingScanRule.java
Show resolved
Hide resolved
Review that the new rules:
|
I'm going to split rules that can already be merged into other PRs, starting with |
Sounds great! |
Fix zaproxy/zaproxy#7341
Breaking out time based attack from list in issue into their own rules. Most of the RDBMS specific SqlInjection rules were already exclusively performing time based attacks, so these simply got renamed, with the exception of the SqlLite rule, which was split up and the new timing rule was given its own new plugin ID. Most other rules were also split up in this manner to create a new timing based version with its own plugin ID. There is mention in the issue of modifying the Alert tags that correspond to these rules, so I would appreciate some feedback on what to do around that.