ForbiddenBypassScanRule should not treat index page results as if it "found something" #8596
Labels
Comments
|
Can you give us a bit more info here? |
|
We have a single-page-application, instead of serving 404s for most nonexistent pages, it serves the index page. e.g. https://test.glaypen.garnercorp.com/no-such-page There should be basic logic that compares an index page, to a randomly selected page (https://test.glaypen.garnercorp.com/dsljkhfdskjfhdsjkfhdsjkfhdsjkf) to a "discovered" page, if the randomly selected page or the index page matches the "discovered" page, then the "discovered" page isn't a discovery, it's noise. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
https://github.com/zaproxy/zap-extensions/blob/b24dd355a0975e985b391e4cd4eebaf2079410bf/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ForbiddenBypassScanRule.java#L92
has code to look at various pages, but it has no code to say "oh, this matches the SPA page, and therefore isn't exceptional".
Steps to reproduce the behavior
Expected behavior
No results from
Bypassing 403Software versions
ZAP
Version: 2.15.0
Installed Add-ons: [[id=accessControl, version=10.0.0],
[id=alertFilters, version=21.0.0], [id=ascanrules,
version=67.0.0], [id=ascanrulesBeta, version=54.0.0],
[id=authhelper, version=0.14.0], [id=authstats,
version=2.0.0], [id=automation, version=0.41.0],
[id=bruteforce, version=16.0.0], [id=callhome,
version=0.12.0], [id=commonlib, version=1.26.0],
[id=custompayloads, version=0.13.0], [id=database,
version=0.5.0], [id=diff, version=15.0.0],
[id=directorylistv1, version=8.0.0], [id=directorylistv2_3,
version=4.0.0], [id=domxss, version=19.0.0], [id=encoder,
version=1.5.0], [id=exim, version=0.10.0], [id=fileupload,
version=1.2.1], [id=formhandler, version=6.6.0], [id=fuzz,
version=13.13.0], [id=fuzzdb, version=9.0.0],
[id=fuzzdboffensive, version=5.0.0], [id=gettingStarted,
version=17.0.0], [id=graaljs, version=0.7.0], [id=graphql,
version=0.24.0], [id=help, version=18.0.0], [id=hud,
version=0.19.0], [id=importurls, version=9.0.0], [id=invoke,
version=15.0.0], [id=jsonview, version=3.0.0], [id=jwt,
version=1.0.3], [id=network, version=0.16.0], [id=oast,
version=0.19.0], [id=onlineMenu, version=13.0.0],
[id=openapi, version=42.0.0], [id=postman, version=0.4.0],
[id=pscanrules, version=59.0.0], [id=quickstart,
version=48.0.0], [id=replacer, version=18.0.0], [id=reports,
version=0.32.0], [id=requester, version=7.7.0], [id=retest,
version=0.9.0], [id=retire, version=0.38.0], [id=reveal,
version=8.0.0], [id=saml, version=10.0.0],
[id=saverawmessage, version=7.0.0], [id=savexmlmessage,
version=0.3.0], [id=scripts, version=45.5.0], [id=selenium,
version=15.27.0], [id=soap, version=23.0.0], [id=spider,
version=0.11.0], [id=spiderAjax, version=23.20.0],
[id=sqliplugin, version=15.0.0], [id=sse, version=13.0.0],
[id=tips, version=13.0.0], [id=wappalyzer, version=21.39.0],
[id=webdrivermacos, version=98.0.0], [id=webdriverwindows,
version=98.0.0], [id=websocket, version=31.0.0], [id=zest,
version=46.0.0]]
Operating System: Mac OS X
Architecture: aarch64
CPU Cores: 10
Max Memory: 16 GB
Java Version: Eclipse Adoptium 11.0.23
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: UTF-8
ZAP Home Directory: /Users/jsoref/Library/Application Support/ZAP/
ZAP Installation Directory: /Applications/ZAP.app/Contents/Java/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
Screenshots
Errors from the zap.log file
No response
Additional context
This is yet another scanner that needs to be taught about "baseline pages" -- the tool I worked on two decades ago had this to avoid such false positives.
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: