Skip to content

ascanrules: Reflected XSS introduce param object#6480

Draft
kingthorin wants to merge 1 commit intozaproxy:mainfrom
kingthorin:xxs-param
Draft

ascanrules: Reflected XSS introduce param object#6480
kingthorin wants to merge 1 commit intozaproxy:mainfrom
kingthorin:xxs-param

Conversation

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Jun 2, 2025
edited
Loading

Overview

To facilitate further modifications and refactoring.

  • CHANGELOG > Maint note already exists.
  • CrossSiteScriptingScanRule > Introduce and leverage new param object.
  • HtmlContextAnalyser > Throw an exception if the target param is empty as that leads to an infinite loop.

Related Issues

@psiinon
Copy link
Member

psiinon commented Jun 2, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsba1b1224-6458-4a38-93f2-dd8e3ff46a31

Great job! No new security vulnerabilities introduced in this pull request

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

@kingthorin kingthorin force-pushed the xxs-param branch 4 times, most recently from 14d5a43 to 1132a0a Compare June 5, 2025 12:37
@kingthorin
Copy link
Member Author

kingthorin commented Jun 5, 2025

Added "clean code" commit.
It removes an unused param in two methods in the rule, and returns an object directly skipping an intermediate store in the unit tests.

@kingthorin kingthorin marked this pull request as draft June 20, 2025 11:33
@kingthorin kingthorin added the waiting-for:author This issue or PR is currently waiting for input or changes from the original submitter label Jun 20, 2025
@kingthorin kingthorin requested a review from Copilot June 27, 2025 10:36
Copilot AI reviewed Jun 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request refactors the XSS scanning functionality to introduce a new parameter object (XssAttackParam) for improved readability and extendability, and adds an exception in HtmlContextAnalyser to prevent an infinite loop when the target parameter is empty. Key changes include:

  • Adding a check in HtmlContextAnalyser to throw an exception for an empty target.
  • Refactoring multiple performAttack methods in CrossSiteScriptingScanRule to use the new XssAttackParam.
  • Updating the changelog with maintenance changes.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyser.java Added a validation exception for an empty target parameter.
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java Replaced overloaded performAttack methods with a unified method using XssAttackParam and applied necessary refactoring across various attack tests.
addOns/ascanrules/CHANGELOG.md Updated changelog to include maintenance changes.

@kingthorin
Copy link
Member Author

kingthorin commented Aug 7, 2025

Verified that the additional tests in #6638 also work here. I know this still requires attention, just making note.

@kingthorin
ascanrules: Reflected XSS introduce param object
65b204d 
To facilitate further modifications and refactoring.

- CHANGELOG > Maint note already exists.
- CrossSiteScriptingScanRule > Introduce and leverage new param object.
- HtmlContextAnalyser > Throw an exception if the target param is empty
as that leads to an infinite loop.

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
# Conflicts:
#	addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thc202 thc202 thc202 left review comments

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

waiting-for:author This issue or PR is currently waiting for input or changes from the original submitter

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kingthorin @psiinon @thc202