ascanrulesAlpha: Add Suspicious Input Transformation Script

addOns/ascanrulesAlpha/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Added
+- Suspicious Input Transformation Script Scan Rule.
 
 ## [51] - 2025-09-18
 ### Changed

addOns/ascanrulesAlpha/ascanrulesAlpha.gradle.kts

@@ -14,6 +14,20 @@ zapAddOn {
                 }
             }
         }
+
+        extensions {
+            register("org.zaproxy.zap.extension.ascanrulesAlpha.scripts.ExtensionAscanRulesAlphaScripts") {
+                classnames {
+                    allowed.set(listOf("org.zaproxy.zap.extension.ascanrulesAlpha.scripts"))
+                }
+                dependencies {
+                    addOns {
+                        register("scripts")
+                        register("graaljs")
+                    }
+                }
+            }
+        }
     }
 }
 
@@ -25,4 +39,7 @@ dependencies {
     zapAddOn("commonlib")
 
     testImplementation(project(":testutils"))
+    testImplementation(project(":addOns:graaljs"))
+    testImplementation(project(":addOns:scripts"))
+    testImplementation(parent!!.childProjects.get("graaljs")!!.sourceSets.test.get().output)
 }

addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/scripts/ExtensionAscanRulesAlphaScripts.java

@@ -0,0 +1,163 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2025 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.zap.extension.ascanrulesAlpha.scripts;
+
+import java.io.File;
+import java.nio.file.Paths;
+import java.util.List;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.parosproxy.paros.Constant;
+import org.parosproxy.paros.extension.Extension;
+import org.parosproxy.paros.extension.ExtensionAdaptor;
+import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
+import org.zaproxy.zap.extension.script.ExtensionScript;
+import org.zaproxy.zap.extension.script.ScriptEngineWrapper;
+import org.zaproxy.zap.extension.script.ScriptType;
+import org.zaproxy.zap.extension.script.ScriptWrapper;
+
+public class ExtensionAscanRulesAlphaScripts extends ExtensionAdaptor {
+
+    private static final List<Class<? extends Extension>> DEPENDENCIES =
+            List.of(ExtensionActiveScan.class, ExtensionScript.class);
+    private static final Logger LOGGER =
+            LogManager.getLogger(ExtensionAscanRulesAlphaScripts.class);
+    private static final String SCRIPT_SUSPICIOUS_INPUT_TRANSFORMATION =
+            "SuspiciousInputTransformation.js";
+
+    private ExtensionScript extScript;
+
+    @Override
+    public String getName() {
+        return ExtensionAscanRulesAlphaScripts.class.getSimpleName();
+    }
+
+    @Override
+    public String getUIName() {
+        return Constant.messages.getString("ascanalpha.scripts.name");
+    }
+
+    @Override
+    public String getDescription() {
+        return Constant.messages.getString("ascanalpha.scripts.desc");
+    }
+
+    @Override
+    public List<Class<? extends Extension>> getDependencies() {
+        return DEPENDENCIES;
+    }
+
+    @Override
+    public void postInit() {
+        extScript =
+                org.parosproxy.paros.control.Control.getSingleton()
+                        .getExtensionLoader()
+                        .getExtension(ExtensionScript.class);
+        addScripts();
+    }
+
+    @Override
+    public boolean canUnload() {
+        return true;
+    }
+
+    @Override
+    public void unload() {
+        removeScripts();
+    }
+
+    private void addScripts() {
+        addScript(
+                SCRIPT_SUSPICIOUS_INPUT_TRANSFORMATION,
+                Constant.messages.getString(
+                        "ascanalpha.scripts.suspiciousInputTransformation.desc"),
+                extScript.getScriptType(ExtensionActiveScan.SCRIPT_TYPE_ACTIVE),
+                false);
+    }
+
+    private void addScript(String name, String description, ScriptType type, boolean isTemplate) {
+        try {
+            if (extScript.getScript(name) != null) {
+                return;
+            }
+            ScriptEngineWrapper engine = extScript.getEngineWrapper("Graal.js");
+            if (engine == null) {
+                return;
+            }
+
+            File file;
+            if (isTemplate) {
+                file =
+                        Paths.get(
+                                        Constant.getZapHome(),
+                                        ExtensionScript.TEMPLATES_DIR,
+                                        type.getName(),
+                                        name)
+                                .toFile();
+            } else {
+                file =
+                        Paths.get(
+                                        Constant.getZapHome(),
+                                        ExtensionScript.SCRIPTS_DIR,
+                                        ExtensionScript.SCRIPTS_DIR,
+                                        type.getName(),
+                                        name)
+                                .toFile();
+            }
+            ScriptWrapper script = new ScriptWrapper(name, description, engine, type, true, file);
+            extScript.loadScript(script);
+            if (isTemplate) {
+                extScript.addTemplate(script, false);
+            } else {
+                extScript.addScript(script, false);
+            }
+        } catch (Exception e) {
+            LOGGER.warn(
+                    Constant.messages.getString(
+                            "ascanalpha.scripts.warn.couldNotAddScripts", e.getLocalizedMessage()));
+        }
+    }
+
+    private void removeScripts() {
+        if (extScript == null) {
+            return;
+        }
+        removeScript(SCRIPT_SUSPICIOUS_INPUT_TRANSFORMATION, false);
+    }
+
+    private void removeScript(String name, boolean isTemplate) {
+        ScriptWrapper script;
+        if (isTemplate) {
+            script = extScript.getTreeModel().getTemplate(name);
+        } else {
+            script = extScript.getScript(name);
+        }
+
+        if (script == null) {
+            return;
+        }
+
+        if (isTemplate) {
+            extScript.removeTemplate(script);
+        } else {
+            extScript.removeScript(script);
+        }
+    }
+}

addOns/ascanrulesAlpha/src/main/javahelp/org/zaproxy/zap/extension/ascanrulesAlpha/resources/help/contents/ascanalpha.html

@@ -55,5 +55,14 @@ <H2 id="id-40039">Web Cache Deception</H2>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/40039/">40039</a>.
 
+<H2 id="id-100044">Suspicious Input Transformation</H2>
+This is an active script scan rule. It detects various types of suspicious input transformations that may indicate
+potential security vulnerabilities such as template injection, expression evaluation, quote consumption, and issues
+related to unicode normalization.
+<p>
+Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesAlpha/src/main/zapHomeFiles/scripts/scripts/active/SuspiciousInputTransformation.js">SuspiciousInputTransformation.js</a>
+<br>
+Alert ID: <a href="https://www.zaproxy.org/docs/alerts/100044/">100044</a>.
+
 </BODY>
 </HTML>

addOns/ascanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/ascanrulesAlpha/resources/Messages.properties

@@ -33,6 +33,11 @@ ascanalpha.mongodb.soln = Do not trust client side input and escape all data on
 
 ascanalpha.name = Active Scan Rules - alpha
 
+ascanalpha.scripts.desc = Adds alpha status active scan rule scripts.
+ascanalpha.scripts.name = Active Scan Rule Scripts - alpha
+ascanalpha.scripts.suspiciousInputTransformation.desc = This script detects suspicious input transformations in web applications.
+ascanalpha.scripts.warn.couldNotAddScripts = Could not add alpha active scan rule scripts: {0}.
+
 ascanalpha.webCacheDeception.desc = Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.
 ascanalpha.webCacheDeception.name = Web Cache Deception
 ascanalpha.webCacheDeception.otherinfo = Cached Authorised Response and Unauthorised Response are similar.