Merge pull request #6563 from kingthorin/sqli-hyper-split

psiinon · web-flow · commit 84469e23e20d · 2025-07-16T09:56:02.000+01:00
ascanrules: SQLi Hypersonic rename scan rule (all time based)
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -7,7 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Maintenance changes.
 - Depends on an updated version of the Common Library add-on.
-- The SQL Injection - MsSQL scan rule and alerts have been renamed to clarify that they're time based (Issue 7341).
+- The following scan rules and their alerts have been renamed to clarify that they're time based (Issue 7341).
+    - SQL Injection - MsSQL 
+    - SQL Injection - Hypersonic
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicTimingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicTimingScanRule.java
@@ -24,7 +24,6 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
-import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicReference;
@@ -46,7 +45,7 @@
 /**
  * TODO: maybe implement a more specific UNION based check for Hypersonic (with table names)
  *
- * <p>The SqlInjectionHypersonicScanRule identifies Hypersonic specific SQL Injection
+ * <p>The SqlInjectionHypersonicTimingScanRule identifies Hypersonic specific SQL Injection
  * vulnerabilities using Hypersonic specific syntax. If it doesn't use Hypersonic specific syntax,
  * it belongs in the generic SQLInjection class! Note the ordering of checks, for efficiency is : 1)
  * Error based (N/A) 2) Boolean Based (N/A - uses standard syntax) 3) UNION based (TODO) 4) Stacked
@@ -68,7 +67,7 @@
  *
  * @author 70pointer
  */
-public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin
+public class SqlInjectionHypersonicTimingScanRule extends AbstractAppParamPlugin
         implements CommonActiveScanRuleInfo {
 
     /** Hypersonic one-line comment */
@@ -77,26 +76,6 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin
     private static final String ORIG_VALUE_TOKEN = "<<<<ORIGINALVALUE>>>>";
     private static final String SLEEP_TOKEN = "<<<<SLEEP>>>>";
 
-    /**
-     * create a map of SQL related error message fragments, and map them back to the RDBMS that they
-     * are associated with keep the ordering the same as the order in which the values are inserted,
-     * to allow the more (subjectively judged) common cases to be tested first Note: these should
-     * represent actual (driver level) error messages for things like syntax error, otherwise we are
-     * simply guessing that the string should/might occur.
-     */
-    private static final Map<String, String> SQL_ERROR_TO_DBMS = new LinkedHashMap<>();
-
-    static {
-        SQL_ERROR_TO_DBMS.put("org.hsql", "Hypersonic SQL");
-        SQL_ERROR_TO_DBMS.put("hSql.", "Hypersonic SQL");
-        SQL_ERROR_TO_DBMS.put("Unexpected token , requires FROM in statement", "Hypersonic SQL");
-        SQL_ERROR_TO_DBMS.put("Unexpected end of command in statement", "Hypersonic SQL");
-        SQL_ERROR_TO_DBMS.put("Column count does not match in statement", "Hypersonic SQL");
-        SQL_ERROR_TO_DBMS.put("Table not found in statement", "Hypersonic SQL");
-        SQL_ERROR_TO_DBMS.put("Unexpected token:", "Hypersonic SQL");
-        // Note: only Hypersonic mappings here.
-    }
-
     /** the sleep function in Hypersonic SQL */
     private static final String SQL_HYPERSONIC_TIME_FUNCTION =
             "\"java.lang.Thread.sleep\"(" + SLEEP_TOKEN + ")";
@@ -212,7 +191,8 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin
     }
 
     /** for logging. */
-    private static final Logger LOGGER = LogManager.getLogger(SqlInjectionHypersonicScanRule.class);
+    private static final Logger LOGGER =
+            LogManager.getLogger(SqlInjectionHypersonicTimingScanRule.class);
 
     /** The number of seconds used in time-based attacks (i.e. sleep commands). */
     private int timeSleepSeconds = DEFAULT_SLEEP_TIME;
diff --git a/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html b/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html
@@ -361,7 +361,7 @@ <H2 id="id-40020">SQL Injection - Hypersonic (Time Based)</H2>
 <br>
 Post 2.5.0 you can change the length of time used for the attack by changing the <code>rules.common.sleep</code> parameter via the Options 'Rule configuration' panel.
 <p>
-Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java">SqlInjectionHypersonicScanRule.java</a>
+Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicTimingScanRule.java">SqlInjectionHypersonicTimingScanRule.java</a>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/40020/">40020</a>.
 
diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties
@@ -180,7 +180,7 @@ ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given U
 ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed
 ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass
 ascanrules.sqlinjection.desc = SQL injection may be possible.
-ascanrules.sqlinjection.hypersonic.name = SQL Injection - Hypersonic SQL
+ascanrules.sqlinjection.hypersonic.name = SQL Injection - Hypersonic SQL (Time Based)
 ascanrules.sqlinjection.mssql.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds.
 ascanrules.sqlinjection.mssql.name = SQL Injection - MsSQL (Time Based)
 ascanrules.sqlinjection.mysql.name = SQL Injection - MySQL
diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicTimingScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicTimingScanRuleUnitTest.java
@@ -38,13 +38,13 @@
 import org.zaproxy.zap.model.TechSet;
 import org.zaproxy.zap.testutils.NanoServerHandler;
 
-/** Unit test for {@link SqlInjectionHypersonicScanRule}. */
-class SqlInjectionHypersonicScanRuleUnitTest
-        extends ActiveScannerTest<SqlInjectionHypersonicScanRule> {
+/** Unit test for {@link SqlInjectionHypersonicTimingScanRule}. */
+class SqlInjectionHypersonicTimingScanRuleUnitTest
+        extends ActiveScannerTest<SqlInjectionHypersonicTimingScanRule> {
 
     @Override
-    protected SqlInjectionHypersonicScanRule createScanner() {
-        return new SqlInjectionHypersonicScanRule();
+    protected SqlInjectionHypersonicTimingScanRule createScanner() {
+        return new SqlInjectionHypersonicTimingScanRule();
     }
 
     @Test
