You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Operating System: Mac OS X
Architecture: aarch64
CPU Cores: 10
Max Memory: 16 GB
Java Version: Eclipse Adoptium 11.0.23
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: UTF-8
ZAP Home Directory: /Users/jsoref/Library/Application Support/ZAP/
ZAP Installation Directory: /Applications/ZAP.app/Contents/Java/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
Screenshots
Errors from the zap.log file
No response
Additional context
This is yet another scanner that needs to be taught about "baseline pages" -- the tool I worked on two decades ago had this to avoid such false positives.
Would you like to help fix this issue?
Yes
The text was updated successfully, but these errors were encountered:
Can you give us a bit more info here?
It sounds like you have some specific failing cases. If you can provide us with more detail then it should help us fix this problem much more quickly..
There should be basic logic that compares an index page, to a randomly selected page (https://test.glaypen.garnercorp.com/dsljkhfdskjfhdsjkfhdsjkfhdsjkf) to a "discovered" page, if the randomly selected page or the index page matches the "discovered" page, then the "discovered" page isn't a discovery, it's noise.
Describe the bug
https://github.com/zaproxy/zap-extensions/blob/b24dd355a0975e985b391e4cd4eebaf2079410bf/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ForbiddenBypassScanRule.java#L92
has code to look at various pages, but it has no code to say "oh, this matches the SPA page, and therefore isn't exceptional".
Steps to reproduce the behavior
Expected behavior
No results from
Bypassing 403
Software versions
ZAP
Version: 2.15.0
Installed Add-ons: [[id=accessControl, version=10.0.0],
[id=alertFilters, version=21.0.0], [id=ascanrules,
version=67.0.0], [id=ascanrulesBeta, version=54.0.0],
[id=authhelper, version=0.14.0], [id=authstats,
version=2.0.0], [id=automation, version=0.41.0],
[id=bruteforce, version=16.0.0], [id=callhome,
version=0.12.0], [id=commonlib, version=1.26.0],
[id=custompayloads, version=0.13.0], [id=database,
version=0.5.0], [id=diff, version=15.0.0],
[id=directorylistv1, version=8.0.0], [id=directorylistv2_3,
version=4.0.0], [id=domxss, version=19.0.0], [id=encoder,
version=1.5.0], [id=exim, version=0.10.0], [id=fileupload,
version=1.2.1], [id=formhandler, version=6.6.0], [id=fuzz,
version=13.13.0], [id=fuzzdb, version=9.0.0],
[id=fuzzdboffensive, version=5.0.0], [id=gettingStarted,
version=17.0.0], [id=graaljs, version=0.7.0], [id=graphql,
version=0.24.0], [id=help, version=18.0.0], [id=hud,
version=0.19.0], [id=importurls, version=9.0.0], [id=invoke,
version=15.0.0], [id=jsonview, version=3.0.0], [id=jwt,
version=1.0.3], [id=network, version=0.16.0], [id=oast,
version=0.19.0], [id=onlineMenu, version=13.0.0],
[id=openapi, version=42.0.0], [id=postman, version=0.4.0],
[id=pscanrules, version=59.0.0], [id=quickstart,
version=48.0.0], [id=replacer, version=18.0.0], [id=reports,
version=0.32.0], [id=requester, version=7.7.0], [id=retest,
version=0.9.0], [id=retire, version=0.38.0], [id=reveal,
version=8.0.0], [id=saml, version=10.0.0],
[id=saverawmessage, version=7.0.0], [id=savexmlmessage,
version=0.3.0], [id=scripts, version=45.5.0], [id=selenium,
version=15.27.0], [id=soap, version=23.0.0], [id=spider,
version=0.11.0], [id=spiderAjax, version=23.20.0],
[id=sqliplugin, version=15.0.0], [id=sse, version=13.0.0],
[id=tips, version=13.0.0], [id=wappalyzer, version=21.39.0],
[id=webdrivermacos, version=98.0.0], [id=webdriverwindows,
version=98.0.0], [id=websocket, version=31.0.0], [id=zest,
version=46.0.0]]
Operating System: Mac OS X
Architecture: aarch64
CPU Cores: 10
Max Memory: 16 GB
Java Version: Eclipse Adoptium 11.0.23
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: UTF-8
ZAP Home Directory: /Users/jsoref/Library/Application Support/ZAP/
ZAP Installation Directory: /Applications/ZAP.app/Contents/Java/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
Screenshots
Errors from the zap.log file
No response
Additional context
This is yet another scanner that needs to be taught about "baseline pages" -- the tool I worked on two decades ago had this to avoid such false positives.
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: