Zaproxy: False Positives in ElmahScanRule

Created on 13 Jul 2020  ·  3Comments  ·  Source: zaproxy/zaproxy

Code: https://github.com/zaproxy/zap-extensions/blob/master/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ElmahScanRule.java

This rule often finds a lot of false positives as it doesnt check the content of any pages identified.
According to https://www.troyhunt.com/aspnet-session-hijacking-with-google/ “Error Log for” appears at the top of every elmah.axd resource so that would be a good sanity check.

FalsePositive add-on bug
Source
picture psiinon

All 3 comments

Looks like the code _is_ checking for that, but it only affects the confidence. I think it shouldnt report files missing that string except at a LOW threshold.

psiinon picture psiinon on 13 Jul 2020
👍1

You might want to change this behavior to be the same while you're doing the ElmahScanRule?

Then all of these would be consistent as well:
https://github.com/zaproxy/zap-extensions/search?q=AbstractAppFilePlugin&unscoped_q=AbstractAppFilePlugin

kingthorin picture kingthorin on 14 Jul 2020
👍1

Actually I'll raise this as a separate issue, as its in a different add-on...

psiinon picture psiinon on 14 Jul 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jmakr0 picture jmakr0  ·  3Comments
kingthorin picture kingthorin  ·  4Comments
bigteejay picture bigteejay  ·  3Comments
lillesvin picture lillesvin  ·  3Comments
omerlh picture omerlh  ·  4Comments