Active Scan Rules - Beta

The following beta status active scan rules are included in this add-on:

Backup File Disclosure

Scans for commonly-named backup copies of files on the web server, which may reveal sensitive information.

Latest code: BackupFileDisclosureScanRule.java

Alert ID: 10095.

Cookie Slack Detector

Tests cookies to detect if some have no effect on response size when omitted, especially cookies containing the name “session” or “userid”.

Latest code: SlackerCookieDetector.java

Alert ID: 90027.

CORS Header

This rule attempts to identify CORS headers and also CORS misconfiguration. The CORS is considered as misconfigured when it allows all origins, origins with weaker protocols and null origin.

Latest code: CorsScanRule.java

Alert ID: 40040.

Cross-Domain Misconfiguration

Checks if the web server is configured to allow Cross Domain access, from a malicious third party service, for instance. Currently checks for wildcards in Adobe’s crossdomain.xml, and in SilverLight’s clientaccesspolicy.xml.

Latest code: CrossDomainScanRule.java

Alert ID: 20016.

CSRF Token

Scans HTML based messages for the existence of Anti-CSRF tokens.
Alerts on requests which do not appear to contain Anti-CSRF tokens.
At HIGH alert threshold only scans messages which are in scope.
Post 2.5.0 you can specify a comma separated list of identifiers in the rules.csrf.ignorelist parameter via the Options ‘Rule configuration’ panel. Any FORMs with a name or ID that matches one of these identifiers will be ignored when scanning for missing Anti-CSRF tokens. Only use this feature to ignore FORMs that you know are safe, for example search forms.

Latest code: CsrfTokenScanRule.java

Alert ID: 20012.

Exponential Entity Expansion (Billion Laughs Attack)

This rule attempts to identify the “Billion Laughs” vulnerability in servers that accept XML or YAML files.

Latest code: ExponentialEntityExpansionScanRule.java

Alert ID: 40044.

Expression Language Injection

Checks if the web application is subject to Expression Language (EL) injection attacks, which occur when an application fails to sufficiently neutralize special elements that could modify the intended EL statement before it is executed.

Latest code: ExpressionLanguageInjectionScanRule.java

Alert ID: 90025.

HTTP Only Site

This active scan rule checks whether an HTTP site is served under HTTPS.

Latest code: HttpOnlySiteScanRule.java

Alert ID: 10106.

HttPoxy - Proxy Header Misuse

This active scan rule checks whether a site is using the HTTP Proxy header specified in the request.
It sets up an HTTP proxy which listens to all interfaces on a randomly assigned free port. It then sends a series of requests to the target server with the HTTP Proxy header set to each of the available IP addresses and the port that it is listening on. If a request is received on the new port then the server is very likely to be vulnerable.
IMPORTANT - the computer that ZAP is running on must accept incoming requests on arbitrary ports - if a firewall prevents incoming connections then this rule will not work.

Latest code: HttPoxyScanRule.java

Alert ID: 10107.

HTTPS Content Available via HTTP

This active scan rule attempts to access content that was originally accessed via HTTPS (SSL/TLS) via HTTP.

Latest code: HttpsAsHttpScanRule.java

Alert ID: 10047.

HTTP Parameter Pollution (HPP)

Supplying duplicate or numerous HTTP parameters with the same name may cause an application or website to interpret values in unintended ways. By leveraging these effects, a malicious individual may be able to bypass input validation, trigger errors or modify internal variable values. There are difference in treatment of duplicate parameters impacting both clients (browsers) and servers.

Latest code: HttpParameterPollutionScanRule.java

Alert ID: 20014.

Insecure HTTP Method

Detects (and exploits, depending on the scan settings) known insecure HTTP methods enabled for the URL. It considers PUT/PATCH as insecure methods by default, but allows them if they return structured data like JSON or XML in response.

Latest code: InsecureHttpMethodScanRule.java

Alert ID: 90028.

Integer Overflow Error

Looks for indicators of integer overflows in compiled code that causes the web server to crash. It does this by putting out multiple strings of integers designed to try and stimulate bad responses.

Latest code: IntegerOverflowScanRule.java

Alert ID: 30003.

Out of Band XSS

This rule attempts to discover Out-of-band XSS vulnerabilities.

Latest code: OutOfBandXssScanRule.java

Alert ID: 40031.

Proxy Disclosure

Attempts to detect and fingerprint proxy server(s). This information helps a potential attacker to determine:

  • A list of targets for an attack against the application.
  • Potential vulnerabilities on the proxy servers that service the application.
  • The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Latest code: ProxyDisclosureScanRule.java

Alert ID: 40025.

Relative Path Confusion

Tests if the web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct “relative path” for the URL. If resources (CSS, images, etc.) are references in the response using relative, rather than absolute URLs. In an attack, if the web browser parses the “cross-content” response in a permissive manner, or can be tricked into permissively parsing the “cross-content” response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability.

Latest code: RelativePathConfusionScanRule.java

Alert ID: 10051.

Session Fixation

Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user’s actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim’s browser, to allow the vulnerability to be exploited.

Latest code: SessionFixationScanRule.java

Alert ID: 40013.

ShellShock - CVE-2014-6271

This rule perform 2 attacks to detect servers vulnerable to CVE-2014-6271 aka ShellShock.
The first is a simple reflected attack and the second is a time based attack.

Post 2.5.0 you can change the length of time used for the attack by changing the rules.common.sleep parameter via the Options ‘Rule configuration’ panel.

Latest code: ShellShockScanRule.java

Alert ID: 10048.

Source Code Disclosure - SVN

Uses Subversion source code repository metadata to scan for files containing source code on the web server.
At LOW alert threshold the rule will require less evidence to identify potential code, which could result in more false positives.

Latest code: SourceCodeDisclosureSvnScanRule.java

Alert ID: 42.

Source Code Disclosure - File Inclusion

Uses local file inclusion techniques to scan for files containing source code on the web server.

Latest code: SourceCodeDisclosureFileInclusionScanRule.java

Alert ID: 43.

Source Code Disclosure - Git

Uses Git source code repository metadata to scan for files containing source code on the web server.

Latest code: SourceCodeDisclosureGitScanRule.java

Alert ID: 41.

Server Side Request Forgery

This rule attempts to find Server Side Request Forgery vulnerabilities by injecting out-of-band payloads in request parameters.

Latest code: SsrfScanRule.java

Alert ID: 40046.

Text4shell (CVE-2022-42889)

This rule attempts to discover the Text4shell (CVE-2022-42889) vulnerability. It relies on the OAST add-on to generate out-of-band payloads and verify DNS interactions.

Latest code: Text4ShellScanRule.java

Alert ID: 40047.

Username Enumeration

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue. This rule is skipped if there are no contexts defined that use Form-based Authentication, and only runs against the URL identified as the login URL of a context.

Latest code: UsernameEnumerationScanRule.java

Alert ID: 40023.