|
| 1 | +--- |
| 2 | +title: "Timing Related Scan Rule Changes" |
| 3 | +summary: > |
| 4 | + Scan rules related to time based attacks have been split or renamed. |
| 5 | +type: post |
| 6 | +images: |
| 7 | +- https://www.zaproxy.org/blog/2025-07-22-timing-rule-changes/images/zapbot-clock-break.png |
| 8 | +addSocialPreview: true |
| 9 | +tags: |
| 10 | +- blog |
| 11 | +- scanrules |
| 12 | +date: "2025-07-22" |
| 13 | +authors: |
| 14 | +- thorin |
| 15 | +--- |
| 16 | + |
| 17 | +### Time Based Scan Rule Changes |
| 18 | + |
| 19 | +We have recently implemented a number of [requested](https://github.com/zaproxy/zap-extensions/pull/4316) changes with regard to scan rules which perform time based attacks. |
| 20 | + |
| 21 | +These changes were made to provide users with greater flexibility in creating scan policies. The changes are available in the current weekly release and Docker image, but not yet in stable. |
| 22 | + |
| 23 | +Here is a breakdown of what was changed: |
| 24 | + |
| 25 | +* The following Rules and Alerts were renamed to indicate that they're all time based (their IDs have stayed the same): |
| 26 | + * [40019](/docs/alerts/40019/) - SQL Injection - MySQL |
| 27 | + * [40020](/docs/alerts/40020/) - SQL Injection - Hypersonic |
| 28 | + * [40021](/docs/alerts/40021/) - SQL Injection - Oracle¹ |
| 29 | + * [40022](/docs/alerts/40022/) - SQL Injection - PostgreSQL |
| 30 | + * [40024](/docs/alerts/40024/) - SQL Injection - SQLite¹ (This rule had contained code for union based SQLi attacks however it had been disabled for a long time. If further SQLite attacks are added in the future they will appear associated with rule ID 90038.) |
| 31 | + * [40027](/docs/alerts/40027/) - SQL Injection - MsSQL |
| 32 | +* [40033](/docs/alerts/40033/) - NoSQL Injection - MongoDB - Time based attacks were previously split into rule [90039](/docs/alerts/90039/). |
| 33 | +* [90020](/docs/alerts/90020/) - Remote OS Command Injection - Time based attacks were split into a separate rule with ID [90037](/docs/alerts/90037/). |
| 34 | + |
| 35 | +#### Alert Tag TEST_TIMING |
| 36 | + |
| 37 | +The rules (and alerts) are now also decorated with the [TEST_TIMING](/alerttags/test_timing/) Alert Tag. |
| 38 | + |
| 39 | +--- |
| 40 | + |
| 41 | +¹ Although a number of changes have been implemented to address the potential for false positives in the past few years, |
| 42 | +this rule has not yet been updated to accommodate those improvements. |
| 43 | +It currently leverages 'expensive' functions versus invoking dedicated sleep methods. |
| 44 | +The time based rules may also extend scan time. |
0 commit comments