ascanrulesBeta: Skip error responses in SourceCodeDisclosureFileInclusion#7149
ascanrulesBeta: Skip error responses in SourceCodeDisclosureFileInclusion#7149Arunodoy18 wants to merge 1 commit intozaproxy:mainfrom
Conversation
|
Great job! No new security vulnerabilities introduced in this pull requestUse @Checkmarx to interact with Checkmarx PR Assistant. |
jsoref
left a comment
jsoref
left a comment
There was a problem hiding this comment.
The changes here look good and seem likely to address my false positives. 👍
| // Skip if attack response is a client/server error. | ||
| // Error pages naturally differ from success pages and comparing | ||
| // them leads to false positives (see zaproxy/zaproxy#9184). | ||
| if (isClientError(sourceattackmsg) || isServerError(sourceattackmsg)) { |
There was a problem hiding this comment.
Speaking personally (and not as a member/maintainer, as I'm not), I'd rather have a isClientOrServerError() and use it both here and below. -- It makes it easier to quickly determine that the same logic is applied in both places.
There was a problem hiding this comment.
Thanks for the suggestion! I've extracted an isClientOrServerError() helper and updated all three call sites to use it. Force-pushed.
…sion Skip attack responses that return 4xx/5xx status codes in the SourceCodeDisclosureFileInclusionScanRule. Error pages naturally differ from success pages, so comparing them produces false positives (e.g. a GraphQL endpoint returning 404 for invalid queries was flagged as source code disclosure). Add isClientError/isServerError checks after each sendAndReceive for attack messages in both the source file inclusion loop and the WAR/EAR file inclusion loop. The rule already applies this check to the base message. Add unit test that reproduces the false positive scenario where the server returns 200 for valid requests but 404 for attack payloads. Fixes zaproxy/zaproxy#9184
Arunodoy18
force-pushed
the
fix/9184-skip-error-responses-in-source-disclosure
branch
from
ef833f6 to
ae724d3
Compare
3 participants
Description
Fixes zaproxy/zaproxy#9184
The
SourceCodeDisclosureFileInclusionScanRule(ID 43) generates false positives when attack responses return 4xx/5xx status codes. Error pages naturally differ from success pages, and diffing them against the baseline gives misleading match percentages.Root cause
The rule sends attack payloads (e.g. path traversal attempts) and compares the response body against a random-parameter baseline using
DiceMatcher. If the server returns a 4xx error page for the attack (different from the random baseline), the diff exceeds the threshold and the rule falsely flags it as source code disclosure — especially when the URL has no file extension (dataMatchesExtensionreturnstruewhenfileExtension == null).Reported scenario: A GraphQL endpoint returns 200 for valid queries but 4xx for invalid ones. The rule extracts
graph-qlfrom the URL path, sends it as a parameter value, receives a 4xx error page that differs from the baseline, and raises a false positive.Fix
Add
isClientError()/isServerError()checks on each attack response, immediately aftersendAndReceive, in both:If the attack response is a 4xx or 5xx, the iteration is skipped (
continue). This mirrors the existing check on the base message at the start of thescan()method.Why this is safe
isClientError/isServerErrorto the base messageNew test
shouldNotAlertWhenAttackResponseIsClientError— uses aClientErrorFiHandlerthat returns 200 for original/random requests but 404 for attack payloads, reproducing the exact scenario from the issue.Checklist