ascanrules: Should parse correct quotes and attributes (#5104)

Should parse correct quotes and attributes Signed-off-by: karthik-uj <karthik.uj@getastra.com>
zaproxy · Dec 7, 2023 · 0ffe462 · 0ffe462
1 parent 9e7be28
commit 0ffe462
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 2 deletions.
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Fixed
 - Use high and low delays for linear regression time-based tests to fix false positives from delays that were smaller than normal variance in application response times, which affected Command Injection scan rule.
 - Improved SQL Injection - PostgreSQL (Time Based) scan rule by using time-based linear regression tests.
+- Catch correct context while analysing attributes instead of the last attribute where eyecatcher was reflected.
 
 ## [58] - 2023-10-12
 ### Changed

diff --git a/...les/src/main/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyser.java b/...les/src/main/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyser.java
@@ -324,9 +324,13 @@ public List<HtmlContext> getHtmlContexts(
                 Iterator<Attribute> iter = element.getAttributes().iterator();
                 while (iter.hasNext()) {
                     Attribute att = iter.next();
-                    if (att.getValue() != null
-                            && att.getValue().toLowerCase().indexOf(target.toLowerCase()) >= 0) {
+
+                    if (isInjectionInAttributeValue(context, att)) {
                         // Found the injected value
+                        if (!context.getSurroundingQuote().equals("" + att.getQuoteChar())
+                                && att.getQuoteChar() != ' ') {
+                            context.setSurroundingQuote("" + att.getQuoteChar());
+                        }
                         context.setTagAttribute(att.getName());
                         context.setTagAttributeValue(att.getValue());
                         context.setInUrlAttribute(this.isUrlAttribute(att.getName()));
@@ -362,4 +366,11 @@ public List<HtmlContext> getHtmlContexts(
 
         return contexts;
     }
+
+    private static boolean isInjectionInAttributeValue(HtmlContext context, Attribute att) {
+        return att.getValue() != null
+                && context.getStart() >= att.getValueSegment().getBegin()
+                && context.getEnd() <= att.getValueSegment().getEnd()
+                && att.getValue().toLowerCase().indexOf(context.getTarget().toLowerCase()) >= 0;
+    }
 }
diff --git a/...test/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyserUnitTest.java b/...test/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyserUnitTest.java
@@ -192,4 +192,61 @@ void shouldParseWithUnescapedTagEndChar() {
         assertThat(tagMap.get("span").size(), is(equalTo(0)));
         assertThat(tagMap.get("a").size(), is(equalTo(0)));
     }
+
+    @Test
+    void shouldParseWithNoQuotes() throws Exception {
+        String catcher = "hg4378as";
+        msg = new HttpMessage();
+        msg.setRequestHeader("GET /index.html HTTP/1.1");
+        msg.setResponseBody("<html> <body> <span id=" + catcher + ">hello</span> </body> </html>");
+        HtmlContextAnalyser analyser = new HtmlContextAnalyser(msg);
+        List<HtmlContext> contexts = analyser.getHtmlContexts(catcher, null, 0);
+        assertThat(contexts.size(), is(equalTo(1)));
+        HtmlContext ctx = contexts.get(0);
+        assertThat(ctx.getParentTag(), is(equalTo("span")));
+        assertThat(ctx.getSurroundingQuote(), is(equalTo("")));
+    }
+
+    @Test
+    void shouldParseTheCorrectSurroundingQuotesForTagAttributesWithMixedQuotes() throws Exception {
+        String catcher = "hg4378as";
+        msg = new HttpMessage();
+        msg.setRequestHeader("GET /index.html HTTP/1.1");
+        msg.setResponseBody(
+                "<html> <body> <span id='{\"entity\": \""
+                        + catcher
+                        + "\"}'>hello</span> <a></a> </body> </html>");
+        HtmlContextAnalyser analyser = new HtmlContextAnalyser(msg);
+        List<HtmlContext> contexts = analyser.getHtmlContexts(catcher, null, 0);
+        assertThat(contexts.size(), is(equalTo(1)));
+        HtmlContext ctx = contexts.get(0);
+        assertThat(ctx.getParentTag(), is(equalTo("span")));
+        assertThat(ctx.getSurroundingQuote(), is(equalTo("\'")));
+    }
+
+    @Test
+    void shouldParseTheCorrectAttribute() throws Exception {
+        String catcher = "hg4378as";
+        msg = new HttpMessage();
+        msg.setRequestHeader("GET /index.html HTTP/1.1");
+        msg.setResponseBody(
+                "<html> <body> <span id='{\"entity\": \""
+                        + catcher
+                        + "\"}' name=\""
+                        + catcher
+                        + "\">hello</span> <a></a> </body> </html>");
+        HtmlContextAnalyser analyser = new HtmlContextAnalyser(msg);
+        List<HtmlContext> contexts = analyser.getHtmlContexts(catcher, null, 0);
+        assertThat(contexts.size(), is(equalTo(2)));
+
+        HtmlContext ctx1 = contexts.get(0);
+        assertThat(ctx1.getParentTag(), is(equalTo("span")));
+        assertThat(ctx1.getTagAttribute(), is(equalTo("id")));
+        assertThat(ctx1.getSurroundingQuote(), is(equalTo("'")));
+
+        HtmlContext ctx2 = contexts.get(1);
+        assertThat(ctx2.getParentTag(), is(equalTo("span")));
+        assertThat(ctx2.getTagAttribute(), is(equalTo("name")));
+        assertThat(ctx2.getSurroundingQuote(), is(equalTo("\"")));
+    }
 }