|
| 1 | +--- |
| 2 | +title: "Timing Related Scan Rule Changes" |
| 3 | +summary: > |
| 4 | + Scan rules related to timing attacks have been split ore renamed. |
| 5 | +images: |
| 6 | +- https://www.zaproxy.org/blog/2025-07-21-timing-rule-changes/something.png |
| 7 | +type: post |
| 8 | +tags: |
| 9 | +- blog |
| 10 | +- browser |
| 11 | +date: "2025-07-21" |
| 12 | +authors: |
| 13 | +- thorin |
| 14 | +--- |
| 15 | + |
| 16 | +### Time Based Scan Rule Changes |
| 17 | + |
| 18 | +We have recently implemented a number of [requested](https://github.com/zaproxy/zap-extensions/pull/4316) changes with regard to scan rules which perform time based attacks. |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +These changes were made to provide users with greater flexibility in creating scan policies. |
| 23 | +In the last few years a number of changes have been implemented to address the potential for false positives.¹ |
| 24 | + |
| 25 | +Here is a breakdown of what was changed: |
| 26 | + |
| 27 | +* The following Rules and Alerts were renamed to indicate that they're all Time Based (their IDs have stayed the same): |
| 28 | + * [40019](/docs/alerts/40019/) - SQL Injection - MySQL |
| 29 | + * [40020](/docs/alerts/40020/) - SQL Injection - Hypersonic |
| 30 | + * [40021](/docs/alerts/40021/) - SQL Injection - Oracle* |
| 31 | + * [40022](/docs/alerts/40022/) - SQL Injection - PostgreSQL |
| 32 | + * [40024](/docs/alerts/40024/) - SQL Injection - SQLite* (This rule had contained code for union based SQLi attacks however it had been disabled for a long time. If further SQLite attacks are added in the future they will appear associated with rule ID 90038.) |
| 33 | + * [40027](/docs/alerts/40027/) - SQL Injection - MsSQL |
| 34 | +* [40033](/docs/alerts/40033/) - NoSQL Injection MongoDB - Timing attacks were previously split into rule [90039](/docs/alerts/90039/). |
| 35 | +* [90020](/docs/alerts/90020/) - Remote OS Command Injection - Time based attacks and Alerts were split into a separate rule with ID [90037](/docs/alerts/90037/). |
| 36 | + |
| 37 | +### New Passive Scan Rule - ZAP is Out of Date |
| 38 | + |
| 39 | +A new passive scan rule has been introduced which will Alert users when their version of ZAP is out-of-date. It's implementation is fairly simple: |
| 40 | +An [Alert](/docs/alerts/10116/) will be added for each host which is passively scanned. The Risk associated with the Alert will be as follows: |
| 41 | +For full (semantic versioned) releases: |
| 42 | +- Low: 1 minor version behind |
| 43 | +- Medium: 2 minors versions, 1 major version |
| 44 | +- High: 3+ minor versions, 2+ major versions |
| 45 | + |
| 46 | +For weekly (date versioned) releases: |
| 47 | +* Low: 1 year behind |
| 48 | +* Medium: 2 years behind |
| 49 | +* High: 3+ years behind |
| 50 | + |
| 51 | +This will help CI/CD users to know if they've fallen behind. |
| 52 | + |
| 53 | +--- |
| 54 | + |
| 55 | +¹ Those marked with an asterisk (*) have not yet been updated to accommodate those improvements. |
| 56 | +They currently leverage 'expensive' functions versus invoking dedicated sleep methods. |
| 57 | +The Time Based rules may also extend scan time, especially in cases where targets are highly vulnerable. |
0 commit comments