From 0ffe46246ad1de8de512ccd7dc13942e3174786e Mon Sep 17 00:00:00 2001 From: Karthik <147135381+karthik-uj@users.noreply.github.com> Date: Thu, 7 Dec 2023 17:55:58 +0530 Subject: [PATCH] ascanrules: Should parse correct quotes and attributes (#5104) Should parse correct quotes and attributes Signed-off-by: karthik-uj --- addOns/ascanrules/CHANGELOG.md | 1 + .../httputils/HtmlContextAnalyser.java | 15 ++++- .../HtmlContextAnalyserUnitTest.java | 57 +++++++++++++++++++ 3 files changed, 71 insertions(+), 2 deletions(-) diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index 1540e156e74..d73cfe147e3 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Fixed - Use high and low delays for linear regression time-based tests to fix false positives from delays that were smaller than normal variance in application response times, which affected Command Injection scan rule. - Improved SQL Injection - PostgreSQL (Time Based) scan rule by using time-based linear regression tests. +- Catch correct context while analysing attributes instead of the last attribute where eyecatcher was reflected. ## [58] - 2023-10-12 ### Changed diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyser.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyser.java index f637c7e0667..99e8383be01 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyser.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyser.java @@ -324,9 +324,13 @@ public List getHtmlContexts( Iterator iter = element.getAttributes().iterator(); while (iter.hasNext()) { Attribute att = iter.next(); - if (att.getValue() != null - && att.getValue().toLowerCase().indexOf(target.toLowerCase()) >= 0) { + + if (isInjectionInAttributeValue(context, att)) { // Found the injected value + if (!context.getSurroundingQuote().equals("" + att.getQuoteChar()) + && att.getQuoteChar() != ' ') { + context.setSurroundingQuote("" + att.getQuoteChar()); + } context.setTagAttribute(att.getName()); context.setTagAttributeValue(att.getValue()); context.setInUrlAttribute(this.isUrlAttribute(att.getName())); @@ -362,4 +366,11 @@ public List getHtmlContexts( return contexts; } + + private static boolean isInjectionInAttributeValue(HtmlContext context, Attribute att) { + return att.getValue() != null + && context.getStart() >= att.getValueSegment().getBegin() + && context.getEnd() <= att.getValueSegment().getEnd() + && att.getValue().toLowerCase().indexOf(context.getTarget().toLowerCase()) >= 0; + } } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyserUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyserUnitTest.java index e1752eff88b..75bc74e7267 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyserUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/httputils/HtmlContextAnalyserUnitTest.java @@ -192,4 +192,61 @@ void shouldParseWithUnescapedTagEndChar() { assertThat(tagMap.get("span").size(), is(equalTo(0))); assertThat(tagMap.get("a").size(), is(equalTo(0))); } + + @Test + void shouldParseWithNoQuotes() throws Exception { + String catcher = "hg4378as"; + msg = new HttpMessage(); + msg.setRequestHeader("GET /index.html HTTP/1.1"); + msg.setResponseBody(" hello "); + HtmlContextAnalyser analyser = new HtmlContextAnalyser(msg); + List contexts = analyser.getHtmlContexts(catcher, null, 0); + assertThat(contexts.size(), is(equalTo(1))); + HtmlContext ctx = contexts.get(0); + assertThat(ctx.getParentTag(), is(equalTo("span"))); + assertThat(ctx.getSurroundingQuote(), is(equalTo(""))); + } + + @Test + void shouldParseTheCorrectSurroundingQuotesForTagAttributesWithMixedQuotes() throws Exception { + String catcher = "hg4378as"; + msg = new HttpMessage(); + msg.setRequestHeader("GET /index.html HTTP/1.1"); + msg.setResponseBody( + " hello "); + HtmlContextAnalyser analyser = new HtmlContextAnalyser(msg); + List contexts = analyser.getHtmlContexts(catcher, null, 0); + assertThat(contexts.size(), is(equalTo(1))); + HtmlContext ctx = contexts.get(0); + assertThat(ctx.getParentTag(), is(equalTo("span"))); + assertThat(ctx.getSurroundingQuote(), is(equalTo("\'"))); + } + + @Test + void shouldParseTheCorrectAttribute() throws Exception { + String catcher = "hg4378as"; + msg = new HttpMessage(); + msg.setRequestHeader("GET /index.html HTTP/1.1"); + msg.setResponseBody( + " hello "); + HtmlContextAnalyser analyser = new HtmlContextAnalyser(msg); + List contexts = analyser.getHtmlContexts(catcher, null, 0); + assertThat(contexts.size(), is(equalTo(2))); + + HtmlContext ctx1 = contexts.get(0); + assertThat(ctx1.getParentTag(), is(equalTo("span"))); + assertThat(ctx1.getTagAttribute(), is(equalTo("id"))); + assertThat(ctx1.getSurroundingQuote(), is(equalTo("'"))); + + HtmlContext ctx2 = contexts.get(1); + assertThat(ctx2.getParentTag(), is(equalTo("span"))); + assertThat(ctx2.getTagAttribute(), is(equalTo("name"))); + assertThat(ctx2.getSurroundingQuote(), is(equalTo("\""))); + } }