The following alpha status active scan rules are included in this add-on:
This implements an example active scan rule that loads strings from a file that the user can edit.
For more details see: Hacking ZAP Part 4: Active Scan Rules.
Latest code: ExampleFileActiveScanRule.java
This implements a very simple example active scan rule.
For more details see: Hacking ZAP Part 4: Active Scan Rules.
Latest code: ExampleSimpleActiveScanRule.java
LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.
Latest code: LdapInjectionScanRule.java
This rule attempts to identify MongoDB specific NoSQL Injection vulnerabilities. It attempts various types of attacks including: boolean based, error based, time based, and authentication bypass. It will also attempt JSON parameter specific payloads if the scan is configured to include JSON parameter variants.
Latest code: MongoDbInjectionScanRule.java
This rule attempts to identify Web Cache Deception vulnerabilities. It checks whether a static path appended to original URIs can be used to leak sensitive user information or not.
Latest code: WebCacheDeceptionScanRule.java
This rule attempts to find Server Side Request Forgery vulnerabilities by injecting out-of-band payloads in request parameters.
Latest code: SsrfScanRule.java
This rule attempts to discover the Text4shell (CVE-2022-42889) vulnerability. It relies on the OAST add-on to generate out-of-band payloads and verify DNS interactions.
Latest code: Text4ShellScanRule.java