New common getExampleAlerts() method #6119
Description
sThis is for all scan rules - active, passive, http, websocket, future ones :)
The method is proposed to be a 'defacto standard' for now: List<Alert> getExampleAlerts()
It will be accessed by the generate_alert_pages.js script using introspection. This script generates the https://www.zaproxy.org/docs/alerts/ pages.
At the moment the script can only cope with one alert per add-on, while many addons generate several.
Ease of maintenance is key - this new method should call any suitable existing methods - if they don't exist the new ones could be created.
Release & beta rules with little to no info which should implement this new method asap:
- https://www.zaproxy.org/docs/alerts/10003/ Vulnerable JS Library
- https://www.zaproxy.org/docs/alerts/10020/ X-Frame-Options Header
- https://www.zaproxy.org/docs/alerts/10032/ Viewstate
The plan is to only expose the information currently on the alert pages, so URLs can be https://www.example.com
Any new generic text created for these alerts should be i18n'd
| State | ID | Name | Class |
|---|---|---|---|
| ✅ PR#4242 | 0 | Directory Browsing | DirectoryBrowsingScanRule |
| ✅ PR#4242 | 2 | Private IP Disclosure | InfoPrivateAddressDisclosureScanRule |
| ✅ PR#4242 | 3 | Session ID in URL Rewrite | InfoSessionIdUrlScanRule |
| ✅ | 6 | Path Traversal | PathTraversalScanRule |
| ✅ | 7 | Remote File Inclusion | RemoteFileIncludeScanRule |
| ✅ PR#4567 | 41 | Source Code Disclosure - Git | SourceCodeDisclosureGitScanRule |
| ✅ zaproxy/zap-extensions#5205 | 42 | Source Code Disclosure - SVN | SourceCodeDisclosureSvnScanRule |
| ✅ PR#4702 | 43 | Source Code Disclosure - File Inclusion | SourceCodeDisclosureFileInclusionScanRule |
| ✅ zaproxy/zap-extensions#4540 | 10009 | In Page Banner Information Leak | InPageBannerInfoLeakScanRule |
| ✅ | 10010 | Cookie No HttpOnly Flag | CookieHttpOnlyScanRule |
| ✅ | 10011 | Cookie Without Secure Flag | CookieSecureFlagScanRule |
| ✅ PR#4706 | 10015 | Re-examine Cache-control Directives | CacheControlScanRule |
| ✅ zaproxy/zap-extensions#4547 | 10017 | Cross-Domain JavaScript Source File Inclusion | CrossDomainScriptInclusionScanRule |
| ✅ zaproxy/zap-extensions#5186 | 10019 | Content-Type Header Missing | ContentTypeMissingScanRule |
| ✅ | 10020 | Anti-clickjacking Header | AntiClickjackingScanRule |
| ✅ zaproxy/zap-extensions#5186 | 10021 | X-Content-Type-Options Header Missing | XContentTypeOptionsScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10023 | Information Disclosure - Debug Error Messages | InformationDisclosureDebugErrorsScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10024 | Information Disclosure - Sensitive Information in URL | InformationDisclosureInUrlScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10025 | Information Disclosure - Sensitive Information in HTTP Referrer Header | InformationDisclosureReferrerScanRule |
| ✅ zaproxy/zap-extensions#4540 | 10026 | HTTP Parameter Override | ServletParameterPollutionScanRule |
| ✅ zaproxy/zap-extensions#4640 | 10027 | Information Disclosure - Suspicious Comments | InformationDisclosureSuspiciousCommentsScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10028 | Open Redirect | UserControlledOpenRedirectScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10029 | Cookie Poisoning | UserControlledCookieScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10030 | User Controllable Charset | UserControlledCharsetScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10031 | User Controllable HTML Element Attribute (Potential XSS) | UserControlledHTMLAttributesScanRule |
| ✅ | 10032 | Viewstate | ViewstateScanRule |
| ✅ zaproxy/zap-extensions#4537 | 10033 | Directory Browsing | DirectoryBrowsingScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10034 | Heartbleed OpenSSL Vulnerability (Indicative) | HeartBleedScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10035 | Strict-Transport-Security Header | StrictTransportSecurityScanRule |
| ✅ PR#4097 | 10036 | HTTP Server Response Header | ServerHeaderInfoLeakScanRule |
| ✅ zaproxy/zap-extensions#5205 | 10037 | Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) | XPoweredByHeaderInfoLeakScanRule |
| ✅ PR#4338 | 10038 | Content Security Policy (CSP) Header Not Set | ContentSecurityPolicyMissingScanRule |
| ✅ PR#4677 | 10039 | X-Backend-Server Header Information Leak | XBackendServerInformationLeakScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10040 | Secure Pages Include Mixed Content | MixedContentScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10041 | HTTP to HTTPS Insecure Transition in Form Post | InsecureFormLoadScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10042 | HTTPS to HTTP Insecure Transition in Form Post | InsecureFormPostScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10043 | User Controllable JavaScript Event (XSS) | UserControlledJavascriptEventScanRule |
| ✅ PR#5153 | 10044 | Big Redirect Detected (Potential Sensitive Information Leak) | BigRedirectsScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10045 | Source Code Disclosure - /WEB-INF folder | SourceCodeDisclosureWebInfScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10047 | HTTPS Content Available via HTTP | HttpsAsHttpScanRule |
| ✅ zaproxy/zap-extensions#5242 | 10048 | Remote Code Execution - Shell Shock | ShellShockScanRule |
| ✅ PR#4097 | 10049 | Content Cacheability | CacheableScanRule |
| ✅ zaproxy/zap-extensions#5242 | 10050 | Retrieved from Cache | RetrievedFromCacheScanRule |
| ✅ zaproxy/zap-extensions#5329 | 10051 | Relative Path Confusion - AB | RelativePathConfusionScanRule |
| ✅ PR#4705 | 10052 | X-ChromeLogger-Data (XCOLD) Header Information Leak | XChromeLoggerDataInfoLeakScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10054 | Cookie without SameSite Attribute | CookieSameSiteScanRule |
| ✅ | 10055 | CSP | ContentSecurityPolicyScanRule |
| ✅ zaproxy/zap-extensions#5220 | 10056 | X-Debug-Token Information Leak | XDebugTokenScanRule |
| ✅ | 10057 | Username Hash Found | UsernameIdorScanRule |
| ✅ zaproxy/zap-extensions#5181 | 10058 | GET for POST | GetForPostScanRule |
| ✅ PR#4625 | 10061 | X-AspNet-Version Response Header | XAspNetVersionScanRule |
| ✅ | 10062 | PII Disclosure | PiiScanRule |
| ✅ | 10063 | Permissions Policy Header Not Set | PermissionsPolicyScanRule |
| ✅ zaproxy/zap-extensions#4502 | 10094 | Base64 Disclosure | Base64Disclosure |
| ✅ zaproxy/zap-extensions#5251 | 10095 | Backup File Disclosure | BackupFileDisclosureScanRule |
| ✅ zaproxy/zap-extensions#5251 | 10096 | Timestamp Disclosure | TimestampDisclosureScanRule |
| ✅ zaproxy/zap-extensions#5251 | 10097 | Hash Disclosure | HashDisclosureScanRule |
| ✅ zaproxy/zap-extensions#5251 | 10098 | Cross-Domain Misconfiguration | CrossDomainMisconfigurationScanRule |
| ✅ zaproxy/zap-extensions#4502 | 10099 | Source Code Disclosure | SourceCodeDisclosureScanRule |
| ✅ PR#4839 | 10101 | Access Control Issue - Improper Authentication | AccessControlAlertsProcessor |
| ✅ PR#4839 | 10102 | Access Control Issue - Improper Authorization | AccessControlAlertsProcessor |
| ✅ | 10104 | User Agent Fuzzer | UserAgentScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10105 | Weak Authentication Method - P | InsecureAuthenticationScanRule |
| ✅ PR#4752 | 10106 | HTTP Only Site | HttpOnlySiteScanRule |
| ✅ zaproxy/zap-extensions#5291 | 10107 | Httpoxy - Proxy Header Misuse - AB | HttPoxyScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10108 | Reverse Tabnabbing - P | LinkTargetScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10109 | Modern Web Application - P | ModernAppDetectionScanRule |
| ✅ | 10110 | Dangerous JS Functions | JsFunctionScanRule |
| ✅ zaproxy/zap-extensions#5261 | 10202 | Absence of Anti-CSRF Tokens - P | CsrfCountermeasuresScanRule |
| ✅ zaproxy/zap-extensions#5291 | 20012 | Anti-CSRF Tokens Check - AB | CsrfTokenScanRule |
| ✅ zaproxy/zap-extensions#5291 | 20014 | HTTP Parameter Pollution - AB | HttpParameterPollutionScanRule |
| ✅ zaproxy/zap-extensions#5181 | 20015 | Heartbleed OpenSSL Vulnerability | HeartBleedActiveScanRule |
| ✅ zaproxy/zap-extensions#5291 | 20016 | Cross-Domain Misconfiguration - AB | CrossDomainScanRule |
| ✅ zaproxy/zap-extensions#5335 | 20017 | Source Code Disclosure - CVE-2012-1823 - A | SourceCodeDisclosureCve20121823ScanRule |
| ✅ zaproxy/zap-extensions#5335 | 20018 | Remote Code Execution - CVE-2012-1823 - A | RemoteCodeExecutionCve20121823ScanRule |
| ✅ | 20019 | External Redirect | ExternalRedirectScanRule |
| ✅ | 30001 | Buffer Overflow | BufferOverflowScanRule |
| ✅ PR#4623 | 30002 | Format String Error | FormatStringScanRule |
| ✅ zaproxy/zap-extensions#5329 | 30003 | Integer Overflow Error - AB | IntegerOverflowScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40003 | CRLF Injection | CrlfInjectionScanRule |
| ✅ PR#4624 | 40008 | Parameter Tampering | ParameterTamperScanRule |
| ✅ zaproxy/zap-extensions#5335 | 40009 | Server Side Include - A | ServerSideIncludeScanRule |
| ✅ zaproxy/zap-extensions#5335 | 40012 | Cross Site Scripting (Reflected) - A | CrossSiteScriptingScanRule |
| ❌ | 40013 | Session Fixation - AB | SessionFixationScanRule |
| PR#5660 | 40014 | Cross Site Scripting (Persistent) - A | PersistentXssScanRule |
| ❌ | 40015 | LDAP Injection - AA | LdapInjectionScanRule |
| 🚫 N/A | 40016 | Cross Site Scripting (Persistent) - Prime - A | PersistentXssPrimeScanRule |
| 🚫 N/A | 40017 | Cross Site Scripting (Persistent) - Spider - A | PersistentXssSpiderScanRule |
| 🚧 @kingthorin | 40018 | SQL Injection - A | SqlInjectionScanRule |
| ❌ | 40019 | SQL Injection - MySQL - A | SqlInjectionMySqlScanRule |
| ❌ | 40020 | SQL Injection - Hypersonic SQL - A | SqlInjectionHypersonicScanRule |
| ❌ | 40021 | SQL Injection - Oracle - A | SqlInjectionOracleScanRule |
| ❌ | 40022 | SQL Injection - PostgreSQL - A | SqlInjectionPostgreScanRule |
| ❌ | 40023 | Possible Username Enumeration - AB | UsernameEnumerationScanRule |
| ❌ | 40024 | SQL Injection - SQLite - A | SqlInjectionSqLiteScanRule |
| 🚧 @kingthorin | 40025 | Proxy Disclosure - AB | ProxyDisclosureScanRule |
| ❌ | 40027 | SQL Injection - MsSQL - A | SqlInjectionMsSqlScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40028 | ELMAH Information Leak | ElmahScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40029 | Trace.axd Information Leak | TraceAxdScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40032 | .htaccess Information Leak | HtAccessScanRule |
| ❌ | 40033 | NoSQL Injection - MongoDB - AA | MongoDbInjectionScanRule |
| ✅ zaproxy/zap-extensions#5181 | 40034 | .env Information Leak | EnvFileScanRule |
| ✅ | 40035 | Hidden File Finder | HiddenFilesScanRule |
| ✅ | 40038 | Bypassing 403 | ForbiddenBypassScanRule |
| ❌ | 40039 | Web Cache Deception - AA | WebCacheDeceptionScanRule |
| ✅ | 40040 | CORS Header | CorsScanRule |
| ✅ PR#5661 | 40042 | Spring Actuator Information Leak - A | SpringActuatorScanRule |
| ✅ | 40043 | Log4Shell | Log4ShellScanRule |
| ✅ | 40044 | Exponential Entity Expansion (Billion Laughs Attack) | ExponentialEntityExpansionScanRule |
| ✅ | 40045 | Spring4Shell | Spring4ShellScanRule |
| ✅ PR#5688 | 90001 | Insecure JSF ViewState - P | InsecureJsfViewStatePassiveScanRule |
| ✅ zaproxy/zap-extensions#4540 | 90002 | Java Serialization Object | JsoScanRule |
| ✅ zaproxy/zap-extensions#4540 | 90003 | Sub Resource Integrity Attribute Missing | SubResourceIntegrityAttributeScanRule |
| ✅ zaproxy/zap-extensions#4502 | 90004 | Insufficient Site Isolation Against Spectre Vulnerability | SiteIsolationScanRule |
| 🚧 zaproxy/zap-extensions#6544 | 90011 | Charset Mismatch - P | CharsetMismatchScanRule |
| ✅ zaproxy/zap-extensions#5706 | 90017 | XSLT Injection - A | XsltInjectionScanRule |
| ✅ | 90019 | Server Side Code Injection | CodeInjectionScanRule |
| ✅ zaproxy/zap-extensions#5181 | 90020 | Remote OS Command Injection | CommandInjectionScanRule |
| ✅ zaproxy/zap-extensions#5706 | 90021 | XPath Injection - A | XpathInjectionScanRule |
| ✅ | 90022 | Application Error Disclosure | ApplicationErrorScanRule |
| ✅ zaproxy/zap-extensions#5760 | 90023 | XML External Entity Attack - A | XxeScanRule |
| ✅ zaproxy/zap-extensions#5181 | 90024 | Generic Padding Oracle | PaddingOracleScanRule |
| ✅ zaproxy/zap-extensions#5626 | 90025 | Expression Language Injection - AB | ExpressionLanguageInjectionScanRule |
| ✅ zaproxy/zap-extensions#5626 | 90027 | Cookie Slack Detector - AB | SlackerCookieScanRule |
| 🚧 @Brandosp | 90028 | Insecure HTTP Method - AB | InsecureHttpMethodScanRule |
| ✅ PR#4825 | 90033 | Loosely Scoped Cookie | CookieLooselyScopedScanRule |
| ✅ | 90034 | Cloud Metadata Potentially Exposed | CloudMetadataScanRule |
| ✅ zaproxy/zap-extensions#5499 | 90035 | Server Side Template Injection - A | SstiScanRule |
| ✅ zaproxy/zap-extensions#5499 | 90036 | Server Side Template Injection (Blind) - A | SstiBlindScanRule |
Metadata
Metadata
Assignees
Labels
Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitaloceanAn issue ideal for new contributors. Same as label "good first issue", kept for legacy reasons.Issues that the Core Team think are higher priority and would like to work on given timeAn issue ideal for new contributors.