|
| 1 | +--- |
| 2 | +title: "Timing Related Scan Rule Changes" |
| 3 | +summary: > |
| 4 | + Scan rules related to timing attacks have been split ore renamed. |
| 5 | +images: |
| 6 | +- https://www.zaproxy.org/blog/2025-07-21-timing-rule-changes/something.png |
| 7 | +type: post |
| 8 | +tags: |
| 9 | +- blog |
| 10 | +- browser |
| 11 | +date: "2025-07-21" |
| 12 | +authors: |
| 13 | +- thorin |
| 14 | +--- |
| 15 | + |
| 16 | +# Time Based Scan Rule Changes |
| 17 | + |
| 18 | +We have recently implemented a number of [requested](https://github.com/zaproxy/zap-extensions/pull/4316) changes with regard to scan rules which perform time based attacks. |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +These changes were made for two reasons: |
| 23 | +1. It provides users with greater control in creating scan policies. |
| 24 | +2. The Time Based rules are, under some circumstances, potentially more false positive prone. |
| 25 | +In the last few years a number of changes have been implemented to address the potential for false positives. |
| 26 | +(Those marked with an asterisk (*) below have not yet been updated to accommodate those improvements, they will be in the near future.) |
| 27 | + |
| 28 | +Here is a breakdown of what was changed: |
| 29 | + |
| 30 | +* The following Rules and Alerts were renamed to indicate that they're all Time Based (their IDs have stayed the same): |
| 31 | + * 40019 - SQL Injection - MySQL |
| 32 | + * 40020 - SQL Injection - Hypersonic |
| 33 | + * 40021 - SQL Injection - Oracle* |
| 34 | + * 40022 - SQL Injection - PostgreSQL |
| 35 | + * 40024 - SQL Injection - SQLite* (This rule had contained code for union based SQLi attacks however it had been disabled for a long time. If further SQLite attacks are added in the future they will appear associated with rule ID 90038.) |
| 36 | + * 40027 - SQL Injection - MsSQL |
| 37 | +* 40033 - NoSQL Injection MongoDB - Timing attacks were previously split into rule 90039. |
| 38 | +* 90020 - Remote OS Command Injection - Time based attacks and Alerts were split into a separate rule with ID 90037. |
| 39 | + |
| 40 | +# New Passive Scan Rule - ZAP is Out of Date |
| 41 | + |
| 42 | +A new passive scan rule has been introduced which will Alert users when their version of ZAP is out-of-date. It's implementation is fairly simple: |
| 43 | +An [Alert](/docs/alerts/10116/) will be added for each host which is passively scanned. The Risk associated with the Alert will be as follows: |
| 44 | +For full (semantic versioned) releases: |
| 45 | +* If two or more major versions behind: High |
| 46 | +* If one major version behind: Medium |
| 47 | +* If minor version behind: Low |
| 48 | +For weekly (date versioned) releases: |
| 49 | +* If three or more years behind: High |
| 50 | +* If two years behind: Medium |
| 51 | +* If one year behind: Low |
| 52 | + |
| 53 | +This will help CI/CD users to know if they've fallen behind. |
0 commit comments