From 28f11122b4dacfce08cba4667ff5ed5fb5b317ba Mon Sep 17 00:00:00 2001 From: kingthorin Date: Tue, 16 Jul 2024 13:25:28 -0400 Subject: [PATCH 1/2] scan rules: Clean code tweaks - Add static modifier where applicable. - CHANGELOG > Add maintenance note (if there wasn't already one present). - pscanrules > Made resource message methods private again where example alerts have been implemented, or removed them where there was only a single usage (inlining the Constant resource message usage). --- .../ascanrules/BufferOverflowScanRule.java | 2 +- .../ascanrules/CommandInjectionScanRule.java | 2 +- .../ascanrules/DirectoryBrowsingScanRule.java | 2 +- .../ascanrules/ExternalRedirectScanRule.java | 4 +- .../ascanrules/FormatStringScanRule.java | 2 +- .../ascanrules/PaddingOracleScanRule.java | 2 +- .../ascanrules/PathTraversalScanRule.java | 6 +- .../SourceCodeDisclosureWebInfScanRule.java | 4 +- .../ascanrules/Spring4ShellScanRule.java | 6 +- .../ExternalRedirectScanRuleUnitTest.java | 4 +- .../HiddenFilesScanRuleUnitTest.java | 2 +- .../ascanrules/XxeScanRuleUnitTest.java | 2 +- addOns/ascanrulesAlpha/CHANGELOG.md | 3 +- addOns/ascanrulesBeta/CHANGELOG.md | 1 + .../BackupFileDisclosureScanRule.java | 2 +- .../HttpParameterPollutionScanRule.java | 2 +- .../IntegerOverflowScanRule.java | 8 +-- .../ProxyDisclosureScanRule.java | 2 +- .../RelativePathConfusionScanRule.java | 2 +- .../SessionFixationScanRule.java | 2 +- .../ascanrulesBeta/SlackerCookieScanRule.java | 21 +++---- ...ceCodeDisclosureFileInclusionScanRule.java | 4 +- .../SourceCodeDisclosureGitScanRule.java | 4 +- .../UsernameEnumerationScanRule.java | 2 +- .../CsrfTokenScanRuleUnitTest.java | 4 +- addOns/pscanrules/CHANGELOG.md | 1 + .../pscanrules/AntiClickjackingScanRule.java | 16 ++---- .../pscanrules/ApplicationErrorScanRule.java | 52 +++++------------ .../pscanrules/BigRedirectsScanRule.java | 8 +-- .../pscanrules/CacheControlScanRule.java | 36 ++---------- .../pscanrules/CharsetMismatchScanRule.java | 8 +-- .../ContentSecurityPolicyMissingScanRule.java | 2 +- .../ContentSecurityPolicyScanRule.java | 30 +++------- .../ContentTypeMissingScanRule.java | 36 ++---------- .../pscanrules/CookieHttpOnlyScanRule.java | 36 ++---------- .../CookieLooselyScopedScanRule.java | 45 +++------------ .../pscanrules/CookieSameSiteScanRule.java | 36 ++---------- .../pscanrules/CookieSecureFlagScanRule.java | 37 +++--------- .../CrossDomainMisconfigurationScanRule.java | 29 ++-------- .../CrossDomainScriptInclusionScanRule.java | 31 ++-------- .../CsrfCountermeasuresScanRule.java | 34 +++-------- .../pscanrules/DirectoryBrowsingScanRule.java | 39 ++----------- .../pscanrules/HashDisclosureScanRule.java | 21 ++----- .../pscanrules/HeartBleedScanRule.java | 26 ++------- .../InfoPrivateAddressDisclosureScanRule.java | 36 ++---------- .../pscanrules/InfoSessionIdUrlScanRule.java | 46 +++++---------- ...ormationDisclosureDebugErrorsScanRule.java | 32 ++--------- .../InformationDisclosureInUrlScanRule.java | 38 +++---------- ...InformationDisclosureReferrerScanRule.java | 57 +++++-------------- ...nDisclosureSuspiciousCommentsScanRule.java | 36 +++--------- .../InsecureAuthenticationScanRule.java | 31 ++-------- .../pscanrules/InsecureFormLoadScanRule.java | 16 ++---- .../pscanrules/InsecureFormPostScanRule.java | 16 ++---- .../InsecureJsfViewStatePassiveScanRule.java | 6 +- .../pscanrules/LinkTargetScanRule.java | 18 +----- .../pscanrules/MixedContentScanRule.java | 30 ++-------- .../ModernAppDetectionScanRule.java | 12 +--- .../zap/extension/pscanrules/PiiScanRule.java | 2 +- .../pscanrules/PolyfillCdnScriptScanRule.java | 6 +- .../RetrievedFromCacheScanRule.java | 18 +----- .../StrictTransportSecurityScanRule.java | 6 +- .../TimestampDisclosureScanRule.java | 39 +++---------- .../UserControlledCharsetScanRule.java | 19 ++----- .../UserControlledCookieScanRule.java | 26 ++------- .../UserControlledHTMLAttributesScanRule.java | 46 ++++----------- ...UserControlledJavascriptEventScanRule.java | 38 ++++--------- .../UserControlledOpenRedirectScanRule.java | 24 ++------ .../pscanrules/UsernameIdorScanRule.java | 44 +++----------- .../pscanrules/ViewstateScanRule.java | 42 +++++--------- .../pscanrules/XAspNetVersionScanRule.java | 19 ++----- ...XBackendServerInformationLeakScanRule.java | 12 +--- .../XChromeLoggerDataInfoLeakScanRule.java | 20 ++----- .../XContentTypeOptionsScanRule.java | 30 ++-------- .../pscanrules/XDebugTokenScanRule.java | 34 +++-------- .../XPoweredByHeaderInfoLeakScanRule.java | 40 +++---------- .../AntiClickjackingScanRuleUnitTest.java | 4 -- .../ApplicationErrorScanRuleUnitTest.java | 4 -- ...ContentSecurityPolicyScanRuleUnitTest.java | 12 ++-- .../ContentTypeMissingScanRuleUnitTest.java | 6 +- .../CookieHttpOnlyScanRuleUnitTest.java | 4 -- .../CookieLooselyScopedScanRuleUnitTest.java | 6 +- .../CookieSameSiteScanRuleUnitTest.java | 4 -- .../CookieSecureFlagScanRuleUnitTest.java | 4 -- ...omainMisconfigurationScanRuleUnitTest.java | 4 -- ...DomainScriptInclusionScanRuleUnitTest.java | 4 -- .../CsrfCountermeasuresScanRuleUnitTest.java | 6 +- .../DirectoryBrowsingScanRuleUnitTest.java | 2 +- .../HashDisclosureScanRuleUnitTest.java | 2 +- ...vateAddressDisclosureScanRuleUnitTest.java | 8 +-- .../InfoSessionIdUrlScanRuleUnitTest.java | 6 +- ...DisclosureDebugErrorsScanRuleUnitTest.java | 4 -- ...mationDisclosureInUrlScanRuleUnitTest.java | 4 -- ...ionDisclosureReferrerScanRuleUnitTest.java | 4 -- ...ureSuspiciousCommentsScanRuleUnitTest.java | 4 -- ...nsecureAuthenticationScanRuleUnitTest.java | 4 -- .../InsecureFormLoadScanRuleUnitTest.java | 2 +- .../InsecureFormPostScanRuleUnitTest.java | 2 +- ...reJsfViewStatePassiveScanRuleUnitTest.java | 3 +- .../LinkTargetScanRuleUnitTest.java | 2 +- .../MixedContentScanRuleUnitTest.java | 4 -- .../pscanrules/PiiScanRuleUnitTest.java | 2 +- .../RetrievedFromCacheScanRuleUnitTest.java | 2 +- .../ServerHeaderInfoLeakScanRuleUnitTest.java | 2 +- ...rictTransportSecurityScanRuleUnitTest.java | 2 +- .../TimestampDisclosureScanRuleUnitTest.java | 4 -- .../UsernameIdorScanRuleUnitTest.java | 4 -- .../pscanrules/ViewStateScanRuleUnitTest.java | 6 +- .../XAspNetVersionScanRuleUnitTest.java | 6 +- ...ServerInformationLeakScanRuleUnitTest.java | 2 +- ...omeLoggerDataInfoLeakScanRuleUnitTest.java | 2 +- .../XDebugTokenScanRuleUnitTest.java | 2 +- ...weredByHeaderInfoLeakScanRuleUnitTest.java | 4 -- addOns/pscanrulesAlpha/CHANGELOG.md | 3 +- .../ExampleFilePassiveScanRule.java | 26 ++------- .../FullPathDisclosureScanRule.java | 19 +------ ...tchMetadataRequestHeadersScanRuleTest.java | 4 +- .../FullPathDisclosureScanRuleUnitTest.java | 2 +- addOns/pscanrulesBeta/CHANGELOG.md | 3 + .../pscanrulesBeta/CacheableScanRule.java | 2 +- .../pscanrulesBeta/JsFunctionScanRule.java | 18 +----- .../extension/pscanrulesBeta/JsoScanRule.java | 2 +- .../SourceCodeDisclosureScanRule.java | 21 ++----- ...SubResourceIntegrityAttributeScanRule.java | 4 +- .../CacheableScanRuleUnitTest.java | 4 +- .../InPageBannerInfoLeakScanRuleUnitTest.java | 2 +- .../JsFunctionScanRuleUnitTest.java | 3 +- ...letParameterPollutionScanRuleUnitTest.java | 3 +- .../SourceCodeDisclosureScanRuleUnitTest.java | 6 +- 128 files changed, 410 insertions(+), 1316 deletions(-) diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java index c193ccea6dc..9092934fe8d 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java @@ -169,7 +169,7 @@ public int getWascId() { return 7; } - private String randomCharacterString(int length) { + private static String randomCharacterString(int length) { StringBuilder sb1 = new StringBuilder(length + 1); int counter = 0; int character = 0; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java index 0c09e878408..9442f8200d0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java @@ -366,7 +366,7 @@ public int getRisk() { return Alert.RISK_HIGH; } - private String getOtherInfo(TestType testType, String testValue) { + private static String getOtherInfo(TestType testType, String testValue) { return Constant.messages.getString( MESSAGE_PREFIX + "otherinfo." + testType.getNameKey(), testValue); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java index 92cfeff183d..5bc72d6f7d0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java @@ -95,7 +95,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private void checkIfDirectory(HttpMessage msg) throws URIException { + private static void checkIfDirectory(HttpMessage msg) throws URIException { URI uri = msg.getRequestHeader().getURI(); uri.setQuery(null); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java index da5c9d1add9..292036d408b 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java @@ -342,7 +342,7 @@ private static boolean isRedirectHost(String value, boolean escaped) throws URIE * @param msg the current message where reflected redirection should be check into * @return get back the redirection type if exists */ - private int isRedirected(String payload, HttpMessage msg) { + private static int isRedirected(String payload, HttpMessage msg) { // (1) Check if redirection by "Location" header // http://en.wikipedia.org/wiki/HTTP_location @@ -471,7 +471,7 @@ private static boolean isRedirectPresent(Pattern pattern, String value) { * @param type the redirection type * @return a string representing the reason of this redirection */ - private String getRedirectionReason(int type) { + private static String getRedirectionReason(int type) { switch (type) { case REDIRECT_LOCATION_HEADER: return Constant.messages.getString(MESSAGE_PREFIX + "reason.location.header"); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java index 352b6926f6e..fdeb28aad5f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java @@ -105,7 +105,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getError(char c) { + private static String getError(char c) { return Constant.messages.getString(MESSAGE_PREFIX + "error" + c); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java index e68a1949d73..2cda7d20c4c 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java @@ -267,7 +267,7 @@ private String getEmptyValueResponse(String paramName) throws IOException { * @param value the value that need to be checked * @return true if it seems to be encrypted */ - private boolean isEncrypted(byte[] value) { + private static boolean isEncrypted(byte[] value) { // Make sure we have a reasonable sized string // (encrypted strings tend to be long, and short strings tend to break our numbers) diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java index 1c9365068ff..18888009c67 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java @@ -608,7 +608,7 @@ private boolean sendAndCheckPayload( return false; } - private String getContentsToMatch(HttpMessage message) { + private static String getContentsToMatch(HttpMessage message) { return message.getResponseHeader().isHtml() ? StringEscapeUtils.unescapeHtml4(message.getResponseBody().toString()) : message.getResponseHeader().toString() + message.getResponseBody().toString(); @@ -700,7 +700,7 @@ public String match(String contents) { return matchWinDirectories(contents); } - private String matchNixDirectories(String contents) { + private static String matchNixDirectories(String contents) { Pattern procPattern = Pattern.compile("(?:^|\\W)proc(?:\\W|$)", Pattern.CASE_INSENSITIVE); Pattern etcPattern = Pattern.compile("(?:^|\\W)etc(?:\\W|$)", Pattern.CASE_INSENSITIVE); @@ -727,7 +727,7 @@ private String matchNixDirectories(String contents) { return null; } - private String matchWinDirectories(String contents) { + private static String matchWinDirectories(String contents) { if (contents.contains("Windows") && Pattern.compile("Program\\sFiles").matcher(contents).find()) { return "Windows"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java index a4405761998..97c5c05b964 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java @@ -277,7 +277,7 @@ private HttpMessage createHttpMessage(URI uri) throws HttpMalformedHeaderExcepti * @return * @throws URIException */ - private URI getClassURI(URI hostURI, String classname) throws URIException { + private static URI getClassURI(URI hostURI, String classname) throws URIException { return new URI( hostURI.getScheme() + "://" @@ -288,7 +288,7 @@ private URI getClassURI(URI hostURI, String classname) throws URIException { false); } - private URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { + private static URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { return new URI( hostURI.getScheme() + "://" diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java index e93dad2bf66..8999dd7130f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java @@ -76,11 +76,11 @@ public String getDescription() { return Constant.messages.getString("ascanrules.spring4shell.desc"); } - private boolean is400Response(HttpMessage msg) { + private static boolean is400Response(HttpMessage msg) { return !msg.getResponseHeader().isEmpty() && msg.getResponseHeader().getStatusCode() == 400; } - private void setGetPayload(HttpMessage msg, String payload) throws URIException { + private static void setGetPayload(HttpMessage msg, String payload) throws URIException { msg.getRequestHeader().setMethod("GET"); URI uri = msg.getRequestHeader().getURI(); String query = uri.getEscapedQuery(); @@ -92,7 +92,7 @@ private void setGetPayload(HttpMessage msg, String payload) throws URIException uri.setEscapedQuery(query); } - private void setPostPayload(HttpMessage msg, String payload) { + private static void setPostPayload(HttpMessage msg, String payload) { msg.getRequestHeader().setMethod("POST"); String body = msg.getRequestBody().toString(); if (body.isEmpty() diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java index bff7b0fbede..24daf07ef57 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java @@ -80,11 +80,11 @@ private enum PayloadHandling { CONCAT_PATH }; - private NanoServerHandler createHttpRedirectHandler(String path, String header) { + private static NanoServerHandler createHttpRedirectHandler(String path, String header) { return createHttpRedirectHandler(path, header, PayloadHandling.NEITHER); } - private NanoServerHandler createHttpRedirectHandler( + private static NanoServerHandler createHttpRedirectHandler( String path, String header, PayloadHandling payloadHandling) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java index 7757fc3ade8..861c1a3021e 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java @@ -110,7 +110,7 @@ void checkNoPathsHaveLeadingSlash() { } } - private void assertNoLeadingSlash(String message, String path) { + private static void assertNoLeadingSlash(String message, String path) { assertThat(message.replace(REPLACE_TOKEN, path), !path.startsWith("/"), is(true)); } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java index f11016f177b..4f42a45b56f 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java @@ -314,7 +314,7 @@ void shouldAlertOnlyIfCertainTagValuesArePresent() assertThat(alert.getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM)); } - private NanoServerHandler createNanoHandler( + private static NanoServerHandler createNanoHandler( String path, NanoHTTPD.Response.IStatus status, String responseBody) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrulesAlpha/CHANGELOG.md b/addOns/ascanrulesAlpha/CHANGELOG.md index aa87452afd3..30d6692889f 100644 --- a/addOns/ascanrulesAlpha/CHANGELOG.md +++ b/addOns/ascanrulesAlpha/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Changed +- Maintenance changes. ## [48] - 2024-09-02 ### Changed diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md index 33d62066a47..4d5343d4d80 100644 --- a/addOns/ascanrulesBeta/CHANGELOG.md +++ b/addOns/ascanrulesBeta/CHANGELOG.md @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Changed - Log exception details in Out of Band XSS scan rule. +- Maintenance changes. ## [55] - 2024-09-02 ### Changed diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java index bd38f756cae..db8d6ff8cbd 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java @@ -426,7 +426,7 @@ public List getExampleAlerts() { .build()); } - private boolean isEmptyResponse(byte[] response) { + private static boolean isEmptyResponse(byte[] response) { return response.length == 0; } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java index 80e72d88054..8cf6ae1f787 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java @@ -242,7 +242,7 @@ public TreeSet getParams(Source s, List inputTags) { * @param url found in the body of the targeted page * @return a hashmap of the query string */ - private Map> getUrlParameters(String url) { + private static Map> getUrlParameters(String url) { Map> params = new HashMap<>(); if (url != null) { diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java index 1df32cea8c7..2e86f420c22 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java @@ -85,7 +85,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getError(char c) { + private static String getError(char c) { return Constant.messages.getString(MESSAGE_PREFIX + "error" + c); } @@ -145,7 +145,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String randomIntegerString(int length) { + private static String randomIntegerString(int length) { int numbercounter = 0; int character = 0; @@ -169,7 +169,7 @@ private String randomIntegerString(int length) { return sb1.toString(); } - private String singleString(int length, char c) // Single Character String + private static String singleString(int length, char c) // Single Character String { int numbercounter = 0; @@ -241,7 +241,7 @@ private AlertBuilder buildAlert( .setUri(url) .setParam(param) .setAttack(attack) - .setOtherInfo(this.getError(type)) + .setOtherInfo(getError(type)) .setEvidence(evidence); } } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java index 22806d92d88..67db86992bb 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java @@ -765,7 +765,7 @@ public void scan() { } } - private String getPath(URI uri) { + private static String getPath(URI uri) { String path = uri.getEscapedPath(); if (path != null) { return path; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java index 025ed92afe8..80c018e2ffc 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java @@ -645,7 +645,7 @@ private AlertBuilder buildAlert(String attack, String otherInfo, String evidence .setEvidence(evidence); } - private Matcher matchStyles(String body) { + private static Matcher matchStyles(String body) { // remove all " and ' for proper matching url('somefile.png') String styleBody = body.replaceAll("['\"]", ""); return STYLE_URL_LOAD.matcher(styleBody); diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java index 921f492f022..2b2796df2d1 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java @@ -1317,7 +1317,7 @@ private static void logSessionFixation( * @param cookieName * @return the HtmlParameter representing the cookie, or null if no matching cookie was found */ - private HtmlParameter getResponseCookie(HttpMessage message, String cookieName) { + private static HtmlParameter getResponseCookie(HttpMessage message, String cookieName) { TreeSet cookieBackParams = message.getResponseHeader().getCookieParams(); if (cookieBackParams.isEmpty()) { // no cookies diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java index 18126b09cd4..5ee4f58f1cb 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java @@ -212,7 +212,7 @@ private AlertBuilder createAlert(int risk, String otherInfo) { return newAlert().setRisk(risk).setConfidence(Alert.CONFIDENCE_LOW).setOtherInfo(otherInfo); } - private StringBuilder createOtherInfoText( + private static StringBuilder createOtherInfoText( Set cookiesThatMakeADifference, Set cookiesThatDoNOTMakeADifference) { StringBuilder otherInfoBuff = @@ -228,7 +228,7 @@ private StringBuilder createOtherInfoText( return otherInfoBuff; } - private void listCookies(Set cookieSet, StringBuilder otherInfoBuff) { + private static void listCookies(Set cookieSet, StringBuilder otherInfoBuff) { Iterator itYes = cookieSet.iterator(); while (itYes.hasNext()) { formatCookiesList(otherInfoBuff, itYes); @@ -236,7 +236,7 @@ private void listCookies(Set cookieSet, StringBuilder otherInfoBuff) { otherInfoBuff.append(getEOL()); } - private int calculateRisk( + private static int calculateRisk( Set cookiesThatDoNOTMakeADifference, StringBuilder otherInfoBuff) { int riskLevel = Alert.RISK_INFO; for (String cookie : cookiesThatDoNOTMakeADifference) { @@ -252,27 +252,28 @@ private int calculateRisk( return riskLevel; } - private String getSessionDestroyedText(String cookie) { + private static String getSessionDestroyedText(String cookie) { return Constant.messages.getString("ascanbeta.cookieslack.session.destroyed", cookie); } - private String getAffectResponseYes() { + private static String getAffectResponseYes() { return Constant.messages.getString("ascanbeta.cookieslack.affect.response.yes"); } - private String getAffectResponseNo() { + private static String getAffectResponseNo() { return Constant.messages.getString("ascanbeta.cookieslack.affect.response.no"); } - private String getSeparator() { + private static String getSeparator() { return Constant.messages.getString("ascanbeta.cookieslack.separator"); } - private String getEOL() { + private static String getEOL() { return Constant.messages.getString("ascanbeta.cookieslack.endline"); } - private void formatCookiesList(StringBuilder otherInfoBuff, Iterator cookieIterator) { + private static void formatCookiesList( + StringBuilder otherInfoBuff, Iterator cookieIterator) { otherInfoBuff.append(cookieIterator.next()); if (cookieIterator.hasNext()) { @@ -280,7 +281,7 @@ private void formatCookiesList(StringBuilder otherInfoBuff, Iterator coo } } - private String getSessionCookieWarning(String cookie) { + private static String getSessionCookieWarning(String cookie) { return Constant.messages.getString("ascanbeta.cookieslack.session.warning", cookie); } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java index 2d5b8c7fddd..ed3be4e0fa3 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java @@ -448,7 +448,7 @@ private boolean isEmptyOrTooSimilar(HttpMessage msg, int matchPercentage) { * @param fileExtension * @return */ - private boolean dataMatchesExtension(byte[] data, String fileExtension) { + private static boolean dataMatchesExtension(byte[] data, String fileExtension) { if (fileExtension != null) { if (fileExtension.equals("JSP")) { if (PATTERN_JSP.matcher(new String(data)).find()) return true; @@ -502,7 +502,7 @@ public Map getAlertTags() { * @param b * @return */ - private int calcLengthMatchPercentage(int a, int b) { + private static int calcLengthMatchPercentage(int a, int b) { if (a == 0 && b == 0) return 100; if (a == 0 || b == 0) return 0; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java index 3d09aa0fd62..3408532793f 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java @@ -107,7 +107,7 @@ public String getReference() { return VULN.getReferencesAsString(); } - private String getEvidence(String filename, String gitURIs) { + private static String getEvidence(String filename, String gitURIs) { return Constant.messages.getString( "ascanbeta.sourcecodedisclosure.gitbased.evidence", filename, gitURIs); } @@ -158,7 +158,7 @@ public void scan() { * @param fileExtension * @return */ - private boolean dataMatchesExtension(byte[] data, String fileExtension) { + private static boolean dataMatchesExtension(byte[] data, String fileExtension) { if (fileExtension != null) { if (fileExtension.equals("JSP")) { if (PATTERN_JSP.matcher(new String(data)).find()) return true; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java index c02435aaf7f..db041d35f3d 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java @@ -730,7 +730,7 @@ public String longestCommonSubsequence(String a, String b) { return hirshberg.getLCS(a, b); } - private boolean shouldContinue(List contextList) { + private static boolean shouldContinue(List contextList) { boolean hasAuth = false; for (Context context : contextList) { if (context.getAuthenticationMethod() instanceof FormBasedAuthenticationMethod) { diff --git a/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java b/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java index a8ae32fb1a5..bdc1692d360 100644 --- a/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java +++ b/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java @@ -370,7 +370,7 @@ public boolean isInScope() { return msg; } - private void setUpHttpSessionsParam() { + private static void setUpHttpSessionsParam() { HttpSessionsParam sessionOptions = new HttpSessionsParam(); sessionOptions.load(new ZapXmlConfiguration()); Model.getSingleton().getOptionsParam().addParamSet(sessionOptions); @@ -385,7 +385,7 @@ private HttpMessage getAntiCSRFCompatibleMessage() throws HttpMalformedHeaderExc + ">"); } - private HtmlParameter getCookieAs(String cookieName) { + private static HtmlParameter getCookieAs(String cookieName) { return new HtmlParameter( HtmlParameter.Type.cookie, cookieName, "FF4F838FDA9E1974DEEB4020AB6127FD"); } diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md index 7fc2ca938af..a4b8e1846ed 100644 --- a/addOns/pscanrules/CHANGELOG.md +++ b/addOns/pscanrules/CHANGELOG.md @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Changed +- Maintenance changes. - Rename Mac OSX salted SHA-1 in the Hash Disclosure scan rule to "Salted SHA-1", reduce the associated alerts to Low risk and Low confidence, to align with other SHA related patterns it will only be evaluated a Low Threshold. (Note such matches may indicate leaks related but not limited to: MacOS X, Oracle, Tiger-192, Haval-192) (Issue 8624). - The Insecure JSF ViewState now includes example alert functionality for documentation generation purposes (Issue 6119). diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java index 371cbb2bebb..573cccefa20 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java @@ -144,8 +144,8 @@ private AlertBuilder buildAlert(String evidence, VulnType currentVT) { .setSolution(getAlertElement(currentVT, "soln")) .setReference(getAlertElement(currentVT, "refs")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()) + .setCweId(1021) // CWE-1021: Improper Restriction of Rendered UI Layers or Frames + .setWascId(15) // WASC-15: Application Misconfiguration .setAlertRef(PLUGIN_ID + "-" + currentVT.getRef()); } @@ -164,15 +164,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 1021; // CWE-1021: Improper Restriction of Rendered UI Layers or Frames - } - - public int getWascId() { - return 15; // WASC-15: Application Misconfiguration - } - - private String getAlertElement(VulnType currentVT, String element) { + private static String getAlertElement(VulnType currentVT, String element) { switch (currentVT) { case XFO_MISSING: return Constant.messages.getString(MESSAGE_PREFIX + "missing." + element); @@ -197,7 +189,7 @@ private String getAlertElement(VulnType currentVT, String element) { * {@code null}. * @see RFC 7034 Section 4 */ - private String getMetaXFOEvidence(Source source) { + private static String getMetaXFOEvidence(Source source) { List metaElements = source.getAllElements(HTMLElementName.META); String httpEquiv; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java index a76ba54f8ef..c0183a61610 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java @@ -120,35 +120,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return null; - } - - public int getRisk() { - return Alert.RISK_MEDIUM; - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; - } - - public int getWascId() { - return 13; - } - /** * Perform the passive scanning of application errors inside the response content * @@ -171,7 +147,9 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // No need to alert return; } - raiseAlert(msg, id, msg.getResponseHeader().getPrimeHeader(), Alert.RISK_LOW); + buildAlert(msg, id, msg.getResponseHeader().getPrimeHeader()) + .setRisk(Alert.RISK_LOW) + .raise(); } else if (!getHelper().isPage404(msg) && !msg.getResponseHeader().hasContentType("application/wasm")) { @@ -184,7 +162,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { String body = msg.getResponseBody().toString(); for (String payload : getCustomPayloads().get()) { if (body.contains(payload)) { - raiseAlert(msg, id, payload, getRisk()); + raiseAlert(msg, id, payload); return; } } @@ -193,33 +171,31 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // We found it! // There exists a positive match of an // application error occurrence - raiseAlert(msg, id, evidence, getRisk()); + raiseAlert(msg, id, evidence); } } } // Internal service method for alert management - private void raiseAlert(HttpMessage msg, int id, String evidence, int risk) { - buildAlert(msg, id, evidence, risk).raise(); + private void raiseAlert(HttpMessage msg, int id, String evidence) { + buildAlert(msg, id, evidence).raise(); } - private AlertBuilder buildAlert(HttpMessage msg, int id, String evidence, int risk) { + private AlertBuilder buildAlert(HttpMessage msg, int id, String evidence) { return newAlert() - .setRisk(risk) + .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(200) + .setWascId(13); } @Override public List getExampleAlerts() { List alerts = new ArrayList<>(); - Alert example = - buildAlert(null, 0, "ERROR: parser: parse error at or near", getRisk()).build(); + Alert example = buildAlert(null, 0, "ERROR: parser: parse error at or near").build(); example.setTags( CommonAlertTag.mergeTags(example.getTags(), CommonAlertTag.CUSTOM_PAYLOADS)); alerts.add(example); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java index 6b8bf77ee8d..8b88ce57f8f 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java @@ -100,7 +100,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @param redirectURILength the length of the URI in the redirect response Location header * @return predictedResponseSize */ - private int getPredictedResponseSize(int redirectURILength) { + private static int getPredictedResponseSize(int redirectURILength) { int predictedResponseSize = redirectURILength + 300; LOGGER.debug("Original Response Location Header URI Length: {}", redirectURILength); LOGGER.debug("Predicted Response Size: {}", predictedResponseSize); @@ -111,7 +111,7 @@ private AlertBuilder createBaseAlert(String ref) { return newAlert() .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setSolution(getSolution()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setCweId(201) .setWascId(13) .setAlertRef(String.valueOf(PLUGIN_ID) + ref); @@ -155,10 +155,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CacheControlScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CacheControlScanRule.java index 5989f2c15d8..e25dc3f9e04 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CacheControlScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CacheControlScanRule.java @@ -84,15 +84,15 @@ private AlertBuilder createAlert(String evidence) { evidence = evidence.substring(1, evidence.length() - 1); } return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(CACHE_CONTROL_HEADER) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(525) + .setWascId(13); } @Override @@ -110,30 +110,6 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getRisk() { - return Alert.RISK_INFO; - } - - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - public int getCweId() { - return 525; - } - - public int getWascId() { - return 13; - } - @Override public List getExampleAlerts() { return List.of(createAlert("no-store, must-revalidate").build()); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java index 065bc3d9d39..dfb3de6b136 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java @@ -213,7 +213,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // FIX: This will match Atom and RSS feeds now, which set text/html but // use <?xml> in content - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -224,12 +224,12 @@ private boolean isResponseHTML(HttpMessage message, Source source) { || contentType.indexOf("application/xhtml") != -1; } - private boolean isResponseXML(HttpMessage message, Source source) { + private static boolean isResponseXML(HttpMessage message, Source source) { // Return true if source or response is identified as XML return source.isXML() || message.getResponseHeader().isXml(); } - private String getBodyContentCharset(String bodyContentType) { + private static String getBodyContentCharset(String bodyContentType) { // preconditions assert bodyContentType != null; @@ -303,7 +303,7 @@ public int getWascId() { return 15; // WASC-15: Application Misconfiguration } - private String getExtraInfo( + private static String getExtraInfo( String firstCharset, String secondCharset, MismatchType mismatchType) { String extraInfo = ""; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java index c1d17f2c8cc..7a701544eae 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java @@ -87,7 +87,7 @@ public String getName() { return getAlertAttribute("name"); } - private String getAlertAttribute(String key) { + private static String getAlertAttribute(String key) { return Constant.messages.getString(MESSAGE_PREFIX + key); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java index 679f6c89aec..f057d13f941 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java @@ -376,7 +376,7 @@ private static boolean allowsUnsafeEval(Policy policy, FetchDirectiveKind source return false; } - private String getCspNoticesString(List notices) { + private static String getCspNoticesString(List notices) { if (notices.isEmpty()) { return ""; } @@ -431,7 +431,7 @@ private static List getNotices( * @param header The header field(s) to be found * @return list of the matched headers */ - private List getHeaderField(HttpMessage msg, String header) { + private static List getHeaderField(HttpMessage msg, String header) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); @@ -446,7 +446,7 @@ private List getHeaderField(HttpMessage msg, String header) { return matchedHeaders; } - private List getAllowedWildcardSources(String policyText) { + private static List getAllowedWildcardSources(String policyText) { List allowedSources = new ArrayList<>(); Policy pol = Policy.parseSerializedCSP(policyText, PolicyErrorConsumer.ignored); @@ -550,37 +550,21 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 693; // CWE-693: Protection Mechanism Failure - } - - public int getWascId() { - return 15; // WASC-15: Application Misconfiguration - } - private AlertBuilder getBuilder(String name, String alertRef) { String alertName = StringUtils.isEmpty(name) ? getName() : getName() + ": " + name; return newAlert() .setName(alertName) .setConfidence(Alert.CONFIDENCE_HIGH) .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) - .setSolution(getSolution()) - .setReference(getReference()) - .setCweId(getCweId()) - .setWascId(getWascId()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) + .setCweId(693) // CWE-693: Protection Mechanism Failure + .setWascId(15) // WASC-15: Application Misconfiguration .setAlertRef(PLUGIN_ID + "-" + alertRef); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java index 8a6da550ce2..475cd83cd42 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java @@ -69,14 +69,14 @@ private AlertBuilder buildAlert(boolean isContentTypeMissing) { return newAlert() .setName(issue) - .setRisk(getRisk()) + .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(HttpHeader.CONTENT_TYPE) - .setSolution(getSolution()) - .setReference(getReference()) - .setCweId(getCweId()) - .setWascId(getWascId()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) + .setCweId(345) // CWE Id 345 - Insufficient Verification of Data Authenticity + .setWascId(12) // WASC Id 12 - Content Spoofing) .setAlertRef(alertRef); } @@ -85,35 +85,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 345; // CWE Id 345 - Insufficient Verification of Data Authenticity - } - - public int getWascId() { - return 12; // WASC Id 12 - Content Spoofing - } - - public int getRisk() { - return Alert.RISK_INFO; - } - @Override public int getPluginId() { return PLUGIN_ID; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRule.java index 288f7769714..7c8fed58eb8 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRule.java @@ -84,17 +84,17 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { private AlertBuilder buildAlert(HttpMessage msg, String headerValue) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(CookieUtils.getCookieName(headerValue)) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence( CookieUtils.getSetCookiePlusName( msg.getResponseHeader().toString(), headerValue)) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(1004) // CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag + .setWascId(13); // WASC-13: Info leakage } @Override @@ -107,35 +107,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 1004; // CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag - } - - public int getWascId() { - return 13; // WASC-13: Info leakage - } - - public int getRisk() { - return Alert.RISK_LOW; - } - private Model getModel() { if (this.model == null) { this.model = Model.getSingleton(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java index 27c4fbdf7a1..4caf62f5ade 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java @@ -86,7 +86,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * Determines whether the specified cookie is loosely scoped by * checking it's Domain attribute value against the host */ - private boolean isLooselyScopedCookie(HttpCookie cookie, String host) { + private static boolean isLooselyScopedCookie(HttpCookie cookie, String host) { // preconditions assert cookie != null; assert host != null; @@ -138,7 +138,8 @@ private boolean isLooselyScopedCookie(HttpCookie cookie, String host) { return true; } - private boolean isCookieAndHostHaveTheSameDomain(String[] cookieDomains, String[] hostDomains) { + private static boolean isCookieAndHostHaveTheSameDomain( + String[] cookieDomains, String[] hostDomains) { if (cookieDomains == null || hostDomains == null || cookieDomains[0].equalsIgnoreCase("null") @@ -168,15 +169,15 @@ private AlertBuilder buildAlert(String host, List looselyScopedCooki } return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo( Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", host, sbCookies)) - .setSolution(getSolution()) - .setReference(getReference()) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) + .setCweId(565) // CWE-565: Reliance on Cookies without Validation and Integrity) + .setWascId(15); // WASC-15: Application Misconfiguration) } @Override @@ -193,39 +194,11 @@ public int getPluginId() { return 90033; } - public int getRisk() { - return Alert.RISK_INFO; - } - - /* - * Rule-associated messages - */ - - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 565; // CWE-565: Reliance on Cookies without Validation and Integrity - } - - public int getWascId() { - return 15; // WASC-15: Application Misconfiguration) - } - private Model getModel() { if (this.model == null) { this.model = Model.getSingleton(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRule.java index 4bccf227008..5cd081a0847 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRule.java @@ -92,20 +92,20 @@ private void checkCookies(HttpMessage msg, String cookieHeader) { private AlertBuilder buildAlert(String responseHeader, String cookieHeaderValue) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) .setParam(CookieUtils.getCookieName(cookieHeaderValue)) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(CookieUtils.getSetCookiePlusName(responseHeader, cookieHeaderValue)) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(1275) // CWE-1275: Sensitive Cookie with Improper SameSite Attribute + .setWascId(13); // WASC Id - Info leakage } private AlertBuilder buildMissingAlert(String responseHeader, String cookieHeaderValue) { return buildAlert(responseHeader, cookieHeaderValue) .setName(getName()) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setAlertRef(PLUGIN_ID + "-1"); } @@ -128,40 +128,16 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_LOW; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 1275; // CWE-1275: Sensitive Cookie with Improper SameSite Attribute - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRule.java index 85f24f00ad8..bb7fb1d2a35 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRule.java @@ -89,17 +89,18 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { private AlertBuilder buildAlert(HttpMessage msg, String headerValue) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(CookieUtils.getCookieName(headerValue)) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence( CookieUtils.getSetCookiePlusName( msg.getResponseHeader().toString(), headerValue)) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(614) // CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' + // Attribute + .setWascId(13); // WASC-13: Info leakage; } @Override @@ -107,40 +108,16 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_LOW; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 614; // CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - } - - public int getWascId() { - return 13; // WASC-13: Info leakage - } - private Model getModel() { if (this.model == null) { this.model = Model.getSingleton(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java index b52e334089d..f002215ec0f 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java @@ -139,15 +139,15 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { private AlertBuilder buildAlert(String evidence) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "extrainfo")) .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(264) // CWE 264: Permissions, Privileges, and Access Controls + .setWascId(14); // WASC-14: Server Misconfiguration } private static String extractEvidence(String header, String headerName) { @@ -155,23 +155,11 @@ private static String extractEvidence(String header, String headerName) { return header.substring(start, header.indexOf("\r", start)); } - public int getRisk() { - return Alert.RISK_MEDIUM; - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 264; // CWE 264: Permissions, Privileges, and Access Controls - } - - public int getWascId() { - return 14; // WASC-14: Server Misconfiguration - } - /** * get the id of the scanner * @@ -182,15 +170,6 @@ public int getPluginId() { return 10098; } - /** - * get the description of the alert - * - * @return - */ - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - @Override public List getExampleAlerts() { return List.of(buildAlert("access-control-allow-origin: *").build()); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java index 991cbb3d283..2e636c301a4 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java @@ -87,14 +87,15 @@ && isScriptFromOtherDomain( private AlertBuilder createAlert(String crossDomainScript, String evidence) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(crossDomainScript) - .setSolution(getSolution()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(829) // CWE Id 829 - Inclusion of Functionality from Untrusted Control + // Sphere + .setWascId(15); // WASC-15: Application Misconfiguration } private void raiseAlert(HttpMessage msg, int id, String crossDomainScript, String evidence) { @@ -115,36 +116,16 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_LOW; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 829; // CWE Id 829 - Inclusion of Functionality from Untrusted Control Sphere - } - - public int getWascId() { - return 15; // WASC-15: Application Misconfiguration) - } - private Model getModel() { if (this.model == null) { this.model = Model.getSingleton(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java index 4e89306f279..a5be1442be9 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java @@ -208,12 +208,12 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { LOGGER.debug("\tScan of record {} took {} ms", id, System.currentTimeMillis() - start); } - private String getExtraInfo(String tokenNamesFlattened, String formDetails) { + private static String getExtraInfo(String tokenNamesFlattened, String formDetails) { return Constant.messages.getString( "pscanrules.noanticsrftokens.alert.extrainfo", tokenNamesFlattened, formDetails); } - private boolean formOnIgnoreList(Element formElement, List ignoreList) { + private static boolean formOnIgnoreList(Element formElement, List ignoreList) { String id = formElement.getAttributeValue("id"); String name = formElement.getAttributeValue("name"); for (String ignore : ignoreList) { @@ -235,42 +235,22 @@ public String getName() { return Constant.messages.getString("pscanrules.noanticsrftokens.name"); } - public String getDescription() { - return VULN.getDescription(); - } - - public String getSolution() { - return VULN.getSolution(); - } - - public String getReference() { - return VULN.getReferencesAsString(); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 352; // CWE-352: Cross-Site Request Forgery (CSRF) - } - - public int getWascId() { - return 9; - } - private AlertBuilder buildAlert(int risk, String desc, String extraInfo, String evidence) { return newAlert() .setRisk(risk) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(desc + "\n" + getDescription()) + .setDescription(desc + "\n" + VULN.getDescription()) .setOtherInfo(extraInfo) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(VULN.getSolution()) + .setReference(VULN.getReferencesAsString()) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(352) // CWE-352: Cross-Site Request Forgery (CSRF) + .setWascId(9); } @Override diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java index aa3b6b703e3..0b3084819a6 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java @@ -116,10 +116,10 @@ private AlertBuilder buildAlert(String server, String evidence) { .setName(getName()) .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setOtherInfo(getExtraInfo(server)) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", server)) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(548) // Information Exposure Through Directory Listing .setWascId(16); // Directory Indexing @@ -140,37 +140,6 @@ public int getPluginId() { return 10033; } - /** - * get the description of the alert - * - * @return - */ - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - /** - * get the solution for the alert - * - * @return - */ - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - /** - * gets references for the alert - * - * @return - */ - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private static String getExtraInfo(String server) { - return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", server); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java index f33aabb5b90..789b25da8a2 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java @@ -265,9 +265,12 @@ private AlertBuilder buildAlert(String evidence, HashAlert hashAlert) { .setName(getName() + " - " + hashAlert.getDescription()) .setRisk(hashAlert.getRisk()) .setConfidence(hashAlert.getConfidence()) - .setDescription(getDescription() + " - " + hashAlert.getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription( + Constant.messages.getString(MESSAGE_PREFIX + "desc") + + " - " + + hashAlert.getDescription()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(200) // Information Exposure, .setWascId(13); // Information Leakage @@ -278,18 +281,6 @@ public int getPluginId() { return 10097; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java index 73b09ea89b7..233e7f99175 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java @@ -116,10 +116,12 @@ private AlertBuilder buildAlert(String fullVersionString) { return newAlert() .setRisk(Alert.RISK_HIGH) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescription()) - .setOtherInfo(getExtraInfo(fullVersionString)) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setOtherInfo( + Constant.messages.getString( + MESSAGE_PREFIX + "extrainfo", fullVersionString)) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(fullVersionString) .setCweId(119) // CWE 119: Failure to Constrain Operations within the Bounds of a // Memory Buffer @@ -131,22 +133,6 @@ public int getPluginId() { return 10034; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfo(String opensslVersion) { - return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", opensslVersion); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java index 7920f640313..925444fd2d1 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java @@ -134,31 +134,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { if (!msg.getResponseHeader().isText()) { @@ -195,18 +175,14 @@ public List getExampleAlerts() { private AlertBuilder createAlert(String otherInfo, String evidence) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(otherInfo) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); - } - - public int getRisk() { - return Alert.RISK_LOW; + .setCweId(200) // CWE Id 200 - Information Exposure + .setWascId(13); // WASC Id - Info leakage } } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java index 07098091a80..41840ddb5c1 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java @@ -105,35 +105,19 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { + private static String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - public String getSolution() { + private static String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); } - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - public int getRisk() { - return Alert.RISK_MEDIUM; - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - private static final Pattern PATHSESSIONIDPATTERN = Pattern.compile( "jsessionid=[\\dA-Z]{" + SESSION_TOKEN_MIN_LENGTH + ",}", @@ -177,7 +161,6 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { getName(), getDescription(), getSolution(), - getRisk(), Alert.CONFIDENCE_HIGH, param.getValue(), param.getName(), @@ -206,7 +189,6 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { getName(), getDescription(), getSolution(), - getRisk(), Alert.CONFIDENCE_HIGH, jsessMatcher.group(), "", @@ -248,17 +230,17 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { }; // The name of this sub-alert - private String getRefererAlert() { + private static String getRefererAlert() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.alert"); } // The description of this sub-alert - private String getRefererDescription() { + private static String getRefererDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.desc"); } // The solution of this sub-alert - private String getRefererSolution() { + private static String getRefererSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.soln"); } @@ -274,7 +256,6 @@ private String getRefererSolution() { */ private void checkSessionIDExposureTo3rdParty(HttpMessage msg, int id) throws URIException { - int risk = (msg.getRequestHeader().isSecure()) ? Alert.RISK_MEDIUM : Alert.RISK_LOW; String body = msg.getResponseBody().toString(); String host = msg.getRequestHeader().getURI().getHost(); String linkHostName; @@ -290,11 +271,14 @@ private void checkSessionIDExposureTo3rdParty(HttpMessage msg, int id) throws UR getRefererAlert(), getRefererDescription(), getRefererSolution(), - risk, Alert.CONFIDENCE_MEDIUM, linkHostName, "", "-3") + .setRisk( + msg.getRequestHeader().isSecure() + ? Alert.RISK_MEDIUM + : Alert.RISK_LOW) .raise(); break; // Only need one @@ -311,7 +295,6 @@ public List getExampleAlerts() { getName(), getDescription(), getSolution(), - getRisk(), Alert.CONFIDENCE_HIGH, "1A530637289A03B07199A44E8D531427", "jsessionid", @@ -322,7 +305,6 @@ public List getExampleAlerts() { getName(), getDescription(), getSolution(), - getRisk(), Alert.CONFIDENCE_HIGH, "jsessionid=1A530637289A03B07199A44E8D531427", "", @@ -333,7 +315,6 @@ public List getExampleAlerts() { getRefererAlert(), getRefererDescription(), getRefererSolution(), - Alert.RISK_MEDIUM, Alert.CONFIDENCE_MEDIUM, "www.example.org", "", @@ -346,22 +327,21 @@ private AlertBuilder createAlert( String name, String desc, String soln, - int risk, int confidence, String evidence, String param, String alertRef) { return newAlert() .setName(name) - .setRisk(risk) + .setRisk(Alert.RISK_MEDIUM) .setConfidence(confidence) .setDescription(desc) .setSolution(soln) - .setReference(getReference()) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setParam(param) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()) + .setCweId(200) // CWE Id 200 - Information Exposure + .setWascId(13) // WASC Id - Info leakage .setAlertRef(getPluginId() + alertRef); } } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java index 5afec2b02b8..f8b47c2da10 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java @@ -75,13 +75,13 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { private AlertBuilder buildAlert(String evidence) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(200) // CWE Id 200 - Information Exposure + .setWascId(13); // WASC Id - Info leakage } private String doesResponseContainsDebugErrorMessage(HttpBody body) { @@ -99,7 +99,7 @@ private String doesResponseContainsDebugErrorMessage(HttpBody body) { return null; } - private List loadFile(Path path) { + private static List loadFile(Path path) { List strings = new ArrayList<>(); BufferedReader reader = null; File f = path.toFile(); @@ -133,36 +133,16 @@ public void setDebugErrorFile(Path path) { this.errors = loadFile(path); } - public int getRisk() { - return Alert.RISK_LOW; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - @Override public int getPluginId() { return PLUGIN_ID; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java index 3c05616ae10..d5499199cde 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java @@ -99,21 +99,21 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { } } - private String getSsnOtherInfo() { + private static String getSsnOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.ssn"); } private AlertBuilder buildAlert(String param, String evidence, String other) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param) .setOtherInfo(other) - .setSolution(getSolution()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(200) // CWE Id 200 - Information Exposure) + .setWascId(13); // WASC Id - Info leakage } private static List loadFile(String file) { @@ -155,52 +155,32 @@ private static String doesParamNameContainsSensitiveInformation(String paramName return null; } - public int getRisk() { - return Alert.RISK_INFO; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - @Override public int getPluginId() { return PLUGIN_ID; } - private boolean isEmailAddress(String emailAddress) { + private static boolean isEmailAddress(String emailAddress) { Matcher matcher = emailAddressPattern.matcher(emailAddress); return matcher.find(); } - private boolean isCreditCard(String creditCard) { + private static boolean isCreditCard(String creditCard) { Matcher matcher = creditCardPattern.matcher(creditCard); return matcher.find(); } - private boolean isUsSSN(String usSSN) { + private static boolean isUsSSN(String usSSN) { Matcher matcher = usSSNPattern.matcher(usSSN); return matcher.find(); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java index 9da73283517..9b09a1d501f 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java @@ -102,11 +102,11 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { } } - private String getSsnOtherInfo() { + private static String getSsnOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.ssn"); } - private boolean isRequestedURLSameDomainAsHTTPReferrer(String host, String referrerURL) { + private static boolean isRequestedURLSameDomainAsHTTPReferrer(String host, String referrerURL) { boolean result = false; if (referrerURL.startsWith("/")) { result = true; @@ -126,32 +126,25 @@ private boolean isRequestedURLSameDomainAsHTTPReferrer(String host, String refer private AlertBuilder buildAlert(String evidence, String other) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_INFO) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setCweId(200) // CWE Id 200 - Information Exposure + .setWascId(13) // WASC Id - Info leakage .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) .setOtherInfo(other) - .setSolution(getSolution()) - .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setEvidence(evidence); } private AlertBuilder buildCcAlert(String evidence, String other, BinRecord binRec) { if (binRec != null) { other = other + '\n' + getBinRecString(binRec); } - return newAlert() - .setRisk(getRisk()) - .setConfidence(binRec != null ? Alert.CONFIDENCE_HIGH : Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setOtherInfo(other) - .setSolution(getSolution()) - .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + return buildAlert(evidence, other) + .setConfidence(binRec != null ? Alert.CONFIDENCE_HIGH : Alert.CONFIDENCE_MEDIUM); } - private String getBinRecString(BinRecord binRec) { + private static String getBinRecString(BinRecord binRec) { StringBuilder recString = new StringBuilder(75); recString .append(Constant.messages.getString(MESSAGE_PREFIX + "bin.field")) @@ -175,7 +168,7 @@ private String getBinRecString(BinRecord binRec) { return recString.toString(); } - private List loadFile(String file) { + private static List loadFile(String file) { List strings = new ArrayList<>(); File f = new File(Constant.getZapHome() + File.separator + file); if (!f.exists()) { @@ -221,37 +214,17 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_INFO; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - - private String doesContainEmailAddress(String emailAddress) { + private static String doesContainEmailAddress(String emailAddress) { Matcher matcher = emailAddressPattern.matcher(emailAddress); if (matcher.find()) { return matcher.group(); @@ -259,7 +232,7 @@ private String doesContainEmailAddress(String emailAddress) { return null; } - private String doesContainCreditCard(String creditCard) { + private static String doesContainCreditCard(String creditCard) { Matcher matcher = creditCardPattern.matcher(creditCard); if (matcher.find()) { String candidate = matcher.group(); @@ -270,7 +243,7 @@ private String doesContainCreditCard(String creditCard) { return null; } - private String doesContainUsSSN(String usSSN) { + private static String doesContainUsSSN(String usSSN) { Matcher matcher = usSSNPattern.matcher(usSSN); if (matcher.find()) { return matcher.group(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java index a512ac12823..3a0938a9097 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java @@ -179,7 +179,7 @@ private static void recordAlertSummary( alertMap.computeIfAbsent(summary.getPattern(), k -> new ArrayList<>()).add(summary); } - private String truncateString(String str) { + private static String truncateString(String str) { if (str.length() > MAX_ELEMENT_CHRS_TO_REPORT) { return str.substring(0, MAX_ELEMENT_CHRS_TO_REPORT); } @@ -188,13 +188,13 @@ private String truncateString(String str) { private AlertBuilder createAlert(String detail, int confidence, String evidence) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_INFO) .setConfidence(confidence) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(detail) - .setSolution(getSolution()) - .setCweId(getCweId()) - .setWascId(getWascId()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setCweId(200) // CWE Id 200 - Information Exposure) + .setWascId(13) // WASC Id - Info leakage) .setEvidence(evidence); } @@ -205,7 +205,7 @@ private List getPatterns() { return patterns; } - private List initPatterns() { + private static List initPatterns() { List targetPatterns = new ArrayList<>(); for (String payload : payloadProvider.get()) { targetPatterns.add(compilePayload(payload)); @@ -213,7 +213,7 @@ private List initPatterns() { return targetPatterns; } - private Pattern compilePayload(String payload) { + private static Pattern compilePayload(String payload) { return Pattern.compile("\\b" + payload + "\\b", Pattern.CASE_INSENSITIVE); } @@ -221,36 +221,16 @@ public static void setPayloadProvider(Supplier> provider) { payloadProvider = provider == null ? DEFAULT_PAYLOAD_PROVIDER : provider; } - public int getRisk() { - return Alert.RISK_INFO; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - @Override public int getPluginId() { return PLUGIN_ID; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java index 03f6f7e44ad..519593a0644 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java @@ -214,31 +214,11 @@ public String getName() { return Constant.messages.getString("pscanrules.insecureauthentication.name"); } - public String getDescription() { - return Constant.messages.getString("pscanrules.insecureauthentication.desc"); - } - - public String getSolution() { - return Constant.messages.getString("pscanrules.insecureauthentication.soln"); - } - - public String getReference() { - return Constant.messages.getString("pscanrules.insecureauthentication.refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 326; // CWE Id - Inadequate Encryption Strength - } - - public int getWascId() { - return 4; // WASC Id - Insufficient Transport Layer Protection - } - @Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { if (msg.getRequestHeader().isSecure()) { @@ -283,12 +263,13 @@ private AlertBuilder buildAlert(String auth) { return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription( + Constant.messages.getString("pscanrules.insecureauthentication.desc")) + .setSolution(Constant.messages.getString("pscanrules.insecureauthentication.soln")) + .setReference(Constant.messages.getString("pscanrules.insecureauthentication.refs")) .setEvidence(HttpHeader.WWW_AUTHENTICATE + ": " + auth) - .setCweId(getCweId()) - .setWascId(getWascId()) + .setCweId(326) // CWE Id - Inadequate Encryption Strength + .setWascId(4) // WASC Id - Insufficient Transport Layer Protection .setAlertRef(getPluginId() + "-2"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java index 7140919f5c5..636dfca4b85 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java @@ -71,7 +71,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private boolean isHttps(HttpMessage msg) { + private static boolean isHttps(HttpMessage msg) { return HttpHeader.HTTPS.equals(msg.getRequestHeader().getURI().getScheme()); } @@ -81,7 +81,7 @@ private boolean isHttps(HttpMessage msg) { // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -96,9 +96,9 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence) return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(getExtraInfoMessage(url, formElement)) - .setSolution(getSolutionMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information .setWascId(15); // WASC-15: Application Misconfiguration @@ -109,14 +109,6 @@ public int getPluginId() { return 10041; } - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - private static String getExtraInfoMessage(String url, String formElement) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java index 995ebe573bf..37944493dd9 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java @@ -71,7 +71,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private boolean isHttps(HttpMessage msg) { + private static boolean isHttps(HttpMessage msg) { String scheme = msg.getRequestHeader().getURI().getScheme(); if ("https".equals(scheme)) { return true; @@ -86,7 +86,7 @@ private boolean isHttps(HttpMessage msg) { // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -101,9 +101,9 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence) return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(getExtraInfoMessage(url, formElement)) - .setSolution(getSolutionMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information .setWascId(15); // WASC-15: Application Misconfiguration @@ -114,14 +114,6 @@ public int getPluginId() { return 10042; } - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - private static String getExtraInfoMessage(String url, String formElement) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java index e3ca9d5d4d3..fbe8145d0af 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java @@ -132,7 +132,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @return {@code true} if {@code viewState} is cryptographically secure, and {@code false} * otherwise (there might be false positives and false negatives) */ - private boolean isViewStateSecure(String viewState, String charset) { + private static boolean isViewStateSecure(String viewState, String charset) { if (viewState == null || viewState.equals("")) { return true; } @@ -185,7 +185,7 @@ private static byte[] decompress(byte[] value) throws IOException { return output.toByteArray(); } - private boolean isRawViewStateSecure(String viewState) { + private static boolean isRawViewStateSecure(String viewState) { if (viewState == null || viewState.equals("")) { return true; } @@ -216,7 +216,7 @@ private AlertBuilder createAlert(String viewState) { // jsf server side implementation in com.sun.faces.renderkit.ServerSideStateHelper // two id's separated by : - private boolean isViewStateStoredOnServer(String val) { + private static boolean isViewStateStoredOnServer(String val) { return val != null && val.contains(":"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java index a0749f64730..7eedbfdbfa1 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java @@ -141,9 +141,9 @@ private AlertBuilder buildAlert(String evidence) { return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence); } @@ -177,18 +177,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java index 9c5987f3ebf..c7f41d6fabc 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java @@ -124,13 +124,13 @@ private AlertBuilder buildAlert(String first, String all, boolean incScript) { .setName(name) .setRisk(risk) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(all) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(first) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(311) // CWE Id 311 - Missing Encryption of Sensitive Data + .setWascId(4); // WASC Id 4 - Insufficient Transport Layer Protection } @Override @@ -143,31 +143,11 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 311; // CWE Id 311 - Missing Encryption of Sensitive Data - } - - public int getWascId() { - return 4; // WASC Id 4 - Insufficient Transport Layer Protection - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java index d027328f1c8..c3f261dc44d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java @@ -93,9 +93,9 @@ private AlertBuilder buildAlert(String otherInfo, String evidence) { return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(otherInfo) - .setSolution(getSolution()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence); } @@ -104,14 +104,6 @@ public int getPluginId() { return 10109; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java index 6e1140cedc1..fcb096cf5d3 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java @@ -180,7 +180,7 @@ private AlertBuilder createAlert(String evidence, String cardType, BinRecord bin .setWascId(13); // WASC-13: Information Leakage } - private String getBinRecString(BinRecord binRec) { + private static String getBinRecString(BinRecord binRec) { StringBuilder recString = new StringBuilder(75); recString .append(Constant.messages.getString(MESSAGE_PREFIX + "bin.field")) diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PolyfillCdnScriptScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PolyfillCdnScriptScanRule.java index 3896910baad..85a12d4d36e 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PolyfillCdnScriptScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PolyfillCdnScriptScanRule.java @@ -167,7 +167,7 @@ private AlertBuilder createLowConfidenceAlert(String param, String evidence) { private AlertBuilder createAlert( int confidence, String description, String param, String evidence, int alertRef) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_HIGH) .setConfidence(confidence) .setDescription(description) .setParam(param) @@ -198,10 +198,6 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_HIGH; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java index 91eb6de5a4b..ce479db48e6 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java @@ -137,9 +137,9 @@ private AlertBuilder buildAlert(String evidence, boolean compliant) { return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) // If compliant Other Info: "Age" header implies a HTTP/1.1 compliant cache server. .setOtherInfo( @@ -160,18 +160,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java index f9e8029e65b..932403e6929 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java @@ -193,7 +193,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String getAlertElement(VulnType currentVT, String element) { + private static String getAlertElement(VulnType currentVT, String element) { String elementValue = ""; switch (currentVT) { case HSTS_MISSING: @@ -234,7 +234,7 @@ private String getAlertElement(VulnType currentVT, String element) { return elementValue; } - private int getRisk(VulnType currentVT) { + private static int getRisk(VulnType currentVT) { switch (currentVT) { case HSTS_MISSING: case HSTS_MAX_AGE_DISABLED: @@ -259,7 +259,7 @@ private int getRisk(VulnType currentVT) { * return {@code null}. * @see RFC 6797 Section 8.5 */ - private String getMetaHSTSEvidence(Source source) { + private static String getMetaHSTSEvidence(Source source) { List metaElements = source.getAllElements(HTMLElementName.META); String httpEquiv; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java index b328c3bc09a..09811610f3e 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java @@ -187,16 +187,19 @@ private AlertBuilder buildAlert( String timestampType, String evidence, String param, Date timestamp) { return newAlert() .setName(getName() + " - " + timestampType) - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescription() + " - " + timestampType) + .setDescription( + Constant.messages.getString(MESSAGE_PREFIX + "desc") + + " - " + + timestampType) .setParam(param) .setOtherInfo(getExtraInfo(evidence, timestamp)) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(200) // CWE Id 200 - Information Exposure + .setWascId(13); // WASC Id - Info leakage } @Override @@ -204,22 +207,6 @@ public int getPluginId() { return 10096; } - public int getRisk() { - return Alert.RISK_LOW; - } - - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - private static String getExtraInfo(String evidence, Date timestamp) { String formattedDate = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(timestamp); return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", evidence, formattedDate); @@ -230,14 +217,6 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java index 51e8531a6d8..034076b1d73 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java @@ -119,7 +119,7 @@ private void checkMetaContentCharset( } // TODO: taken from CharsetMismatchScanner. Extract into helper method - private String getBodyContentCharset(String bodyContentType) { + private static String getBodyContentCharset(String bodyContentType) { // preconditions assert bodyContentType != null; @@ -176,7 +176,7 @@ private void checkContentTypeCharset(HttpMessage msg, int id, Set // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -187,7 +187,7 @@ private boolean isResponseHTML(HttpMessage message, Source source) { || contentType.indexOf("application/xhtml") != -1; } - private boolean isResponseXML(Source source) { + private static boolean isResponseXML(Source source) { return source.isXML(); } @@ -195,10 +195,10 @@ private AlertBuilder buildAlert(String tag, String attr, HtmlParameter param, St return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) .setOtherInfo(getExtraInfoMessage(tag, attr, param, charset)) - .setSolution(getSolutionMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setCweId(20) // CWE-20: Improper Input Validation .setWascId(20); // WASC-20: Improper Input Handling } @@ -216,15 +216,6 @@ public Map getAlertTags() { /* * Rule-associated messages */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - private static String getExtraInfoMessage( String tag, String attr, HtmlParameter param, String charset) { return Constant.messages.getString( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java index f351d641c23..14abffee17e 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java @@ -99,7 +99,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // Cookies are commonly URL encoded, maybe other encodings. // TODO: apply other decodings? htmlDecode, etc. - private String decodeCookie(String cookie, String charset) { + private static String decodeCookie(String cookie, String charset) { if (charset != null) { try { return URLDecoder.decode(cookie, charset); @@ -158,11 +158,11 @@ private AlertBuilder buildAlert(HttpMessage msg, HtmlParameter param, String coo return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) .setOtherInfo(getExtraInfoMessage(msg, param, cookie)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(565) // CWE-565: Reliance on Cookies without Validation and Integrity // Checking .setWascId(20); // WASC-20: Improper Input Handling @@ -178,23 +178,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage(HttpMessage msg, HtmlParameter param, String cookie) { + private static String getExtraInfoMessage(HttpMessage msg, HtmlParameter param, String cookie) { String introMessage = ""; if ("GET".equalsIgnoreCase(msg.getRequestHeader().getMethod())) { introMessage = Constant.messages.getString(MESSAGE_PREFIX + "extrainfo.get"); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java index e9d9a2c52f5..dc3393500f8 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java @@ -232,7 +232,7 @@ private void checkHtmlAttribute( // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -252,13 +252,19 @@ private AlertBuilder buildAlert( return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) .setOtherInfo( - getExtraInfoMessage( - url, htmlElement, htmlAttribute, param, userControlledValue)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + Constant.messages.getString( + MESSAGE_PREFIX + "extrainfo", + url, + htmlElement, + htmlAttribute, + param.getName(), + param.getValue(), + userControlledValue)) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(20) // CWE-20: Improper Input Validation .setWascId(20); // WASC-20: Improper Input Handling } @@ -273,34 +279,6 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage( - String url, String tag, String attr, HtmlParameter param, String userControlledValue) { - return Constant.messages.getString( - MESSAGE_PREFIX + "extrainfo", - url, - tag, - attr, - param.getName(), - param.getValue(), - userControlledValue); - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java index 957e0da14d5..8b53b35a881 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java @@ -161,7 +161,7 @@ private void checkJavascriptEvent( // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message) { + private static boolean isResponseHTML(HttpMessage message) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -177,11 +177,17 @@ private AlertBuilder buildAlert( return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) - .setOtherInfo(getExtraInfoMessage(url, attribute, attributeValue, param)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + .setOtherInfo( + Constant.messages.getString( + MESSAGE_PREFIX + "extrainfo", + url, + attribute, + attributeValue, + param.getValue())) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(20) // CWE-20: Improper Input Validation .setWascId(20); // WASC-20: Improper Input Handling } @@ -196,28 +202,6 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage( - String url, String attribute, String attributeValue, HtmlParameter param) { - return Constant.messages.getString( - MESSAGE_PREFIX + "extrainfo", url, attribute, attributeValue, param.getValue()); - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java index 188c6d2f617..c8538fe23c3 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java @@ -138,11 +138,11 @@ private AlertBuilder buildAlert( return newAlert() .setRisk(Alert.RISK_HIGH) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(paramName) .setOtherInfo(getExtraInfoMessage(msg, paramName, paramValue, responseLocation)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(601) // CWE-601: URL Redirection to Untrusted Site ('Open Redirect') .setWascId(38); // WASC-38: URL Redirector Abuse } @@ -157,23 +157,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage( + private static String getExtraInfoMessage( HttpMessage msg, String paramName, String paramValue, String responseLocation) { StringBuilder extraInfoSB = new StringBuilder(); if ("GET".equalsIgnoreCase(msg.getRequestHeader().getMethod())) { diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java index b2bd614ff04..b40f119f6a2 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java @@ -119,15 +119,17 @@ private void raiseAlert( private AlertBuilder buildAlert( String username, String evidence, String hashType, int id, HttpMessage msg) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_HIGH) - .setDescription(getDescription(username)) - .setOtherInfo(getOtherinfo(hashType, evidence)) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc", username)) + .setOtherInfo( + Constant.messages.getString( + MESSAGE_PREFIX + "otherinfo", hashType, evidence)) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(284) // CWE-284: Improper Access Control + .setWascId(2); // WASC-02: Insufficient Authorization } @Override @@ -147,44 +149,16 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_INFO; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription(String username) { - return Constant.messages.getString(MESSAGE_PREFIX + "desc", username); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getOtherinfo(String hashType, String hashValue) { - return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo", hashType, hashValue); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 284; // CWE-284: Improper Access Control - } - - public int getWascId() { - return 2; // WASC-02: Insufficient Authorization - } - public String match(String contents, Pattern pattern) { Matcher matcher = pattern.matcher(contents); if (matcher.find()) { diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java index 2815457d6a4..837fb6b5541 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java @@ -82,68 +82,64 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { if (v.isSplit()) alertSplitViewstate().raise(); } - private AlertBuilder alertViewstateAnalyzerResult(ViewstateAnalyzerResult var) { + private AlertBuilder baseAlert() { return newAlert() + .setCweId(642) // CWE-642: External Control of Critical State Data) + .setWascId(14); // WASC-14 - Server Misconfiguration + } + + private AlertBuilder alertViewstateAnalyzerResult(ViewstateAnalyzerResult var) { + return baseAlert() .setName(var.pattern.getAlertHeader()) .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) .setDescription(var.pattern.getAlertDescription()) .setOtherInfo(var.getResultExtract().toString()) - .setSolution(getSolution()) - .setCweId(getCweId()) - .setWascId(getWascId()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setAlertRef(PLUGIN_ID + "-" + var.getAlertRef()); } private AlertBuilder alertOldAspVersion() { - return newAlert() + return baseAlert() .setName(Constant.messages.getString(MESSAGE_PREFIX + "oldver.name")) .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "oldver.desc")) .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "oldver.soln")) - .setCweId(getCweId()) - .setWascId(getWascId()) .setAlertRef(PLUGIN_ID + "-3"); } // TODO: see if this alert triggers too often, as the detection rule is far from being robust // for the moment private AlertBuilder alertNoMACUnsure() { - return newAlert() + return baseAlert() .setName(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.name")) .setRisk(Alert.RISK_HIGH) .setConfidence(Alert.CONFIDENCE_LOW) .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.desc")) .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.soln")) .setReference(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.refs")) - .setCweId(getCweId()) - .setWascId(getWascId()) .setAlertRef(PLUGIN_ID + "-4"); } private AlertBuilder alertNoMACforSure() { - return newAlert() + return baseAlert() .setName(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.name")) .setRisk(Alert.RISK_HIGH) .setConfidence(Alert.CONFIDENCE_MEDIUM) .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.desc")) .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.soln")) .setReference(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.refs")) - .setCweId(getCweId()) - .setWascId(getWascId()) .setAlertRef(PLUGIN_ID + "-5"); } private AlertBuilder alertSplitViewstate() { - return newAlert() + return baseAlert() .setName(Constant.messages.getString(MESSAGE_PREFIX + "split.name")) .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "split.desc")) .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "split.soln")) - .setCweId(getCweId()) - .setWascId(getWascId()) .setAlertRef(PLUGIN_ID + "-6"); } @@ -185,24 +181,12 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 642; // CWE-642: External Control of Critical State Data - } - - public int getWascId() { - return 14; // WASC-14 - Server Misconfiguration - } - - private Map getHiddenFields(Source source) { + private static Map getHiddenFields(Source source) { List result = source.getAllStartTags("input"); // Searching for name only tags only makes sense for Asp.Net 1.1 websites diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java index edd68463023..83e380f3457 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRule.java @@ -65,15 +65,16 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { private AlertBuilder createAlert(String evidence) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_HIGH) .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "extrainfo")) .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId( + 933) // CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration + .setWascId(14); // WASC-14: Server Misconfiguration); } @Override @@ -81,10 +82,6 @@ public int getPluginId() { return 10061; } - public int getRisk() { - return Alert.RISK_LOW; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); @@ -95,14 +92,6 @@ public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 933; // CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration - } - - public int getWascId() { - return 14; // WASC-14: Server Misconfiguration - } - @Override public List getExampleAlerts() { return List.of(createAlert("1/1.1").build()); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java index be9a905b5b2..2d33dc2b9cc 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java @@ -67,8 +67,8 @@ private AlertBuilder createAlert(String evidence) { return newAlert() .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) .setCweId(200) .setWascId(13); @@ -84,14 +84,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java index fd4711a7bc5..558824ae5bc 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java @@ -83,19 +83,7 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getOtherInfo(String headerValue) { + private static String getOtherInfo(String headerValue) { try { byte[] decodedByteArray = Base64.getDecoder().decode(headerValue); return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.msg") @@ -117,10 +105,10 @@ private AlertBuilder createAlert(String xcldField) { return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_HIGH) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(getOtherInfo(xcldField)) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(xcldField) .setCweId(200) .setWascId(13); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java index 64a231b19a7..36c7c085309 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XContentTypeOptionsScanRule.java @@ -84,13 +84,13 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { private AlertBuilder buildAlert(String xContentTypeOption) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(HttpHeader.X_CONTENT_TYPE_OPTIONS) - .setOtherInfo(getOtherInfo()) - .setSolution(getSolution()) - .setReference(getReference()) + .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "otherinfo")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(xContentTypeOption) .setCweId(getCweId()) .setWascId(getWascId()); @@ -106,26 +106,6 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_LOW; - } - - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getOtherInfo() { - return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java index b09b7dbc543..665baf01bd2 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java @@ -70,12 +70,12 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { private AlertBuilder buildAlert(String evidence) { return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_HIGH) - .setDescription(getDescription()) - .setOtherInfo(getOtherInfo()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "otherinfo")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(getCweId()) .setWascId(getWascId()); @@ -88,7 +88,7 @@ private AlertBuilder buildAlert(String evidence) { * @param header the name of the header field being looked for * @return boolean status of existence */ - private boolean responseHasHeader(HttpMessage msg, String header) { + private static boolean responseHasHeader(HttpMessage msg, String header) { return !msg.getResponseHeader().getHeaderValues(header).isEmpty(); } @@ -99,7 +99,7 @@ private boolean responseHasHeader(HttpMessage msg, String header) { * @param header the name of the header field(s) to be collected * @return list of the matched headers */ - private List getHeaders(HttpMessage msg, String header) { + private static List getHeaders(HttpMessage msg, String header) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); @@ -119,31 +119,11 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_LOW; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getOtherInfo() { - return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo"); - } - - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java index 983d2454934..885ccabdd2c 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java @@ -69,7 +69,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @param msg Response Http message * @return boolean status of existence */ - private boolean isXPoweredByHeaderExist(HttpMessage msg) { + private static boolean isXPoweredByHeaderExist(HttpMessage msg) { return !msg.getResponseHeader().getHeaderValues(HEADER_NAME).isEmpty(); } @@ -79,7 +79,7 @@ private boolean isXPoweredByHeaderExist(HttpMessage msg) { * @param msg Response Http message * @return list of the matched headers */ - private List getXPoweredByHeaders(HttpMessage msg) { + private static List getXPoweredByHeaders(HttpMessage msg) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); @@ -107,15 +107,15 @@ private AlertBuilder buildAlert(List xpbHeaders) { alertOtherInfo = sb.toString(); } return newAlert() - .setRisk(getRisk()) + .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(alertOtherInfo) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(alertEvidence) - .setCweId(getCweId()) - .setWascId(getWascId()); + .setCweId(200) // CWE Id 200 - Information Exposure + .setWascId(13); // WASC Id - Info leakage } @Override @@ -123,40 +123,16 @@ public int getPluginId() { return PLUGIN_ID; } - public int getRisk() { - return Alert.RISK_LOW; - } - @Override public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; } - public int getCweId() { - return 200; // CWE Id 200 - Information Exposure - } - - public int getWascId() { - return 13; // WASC Id - Info leakage - } - @Override public List getExampleAlerts() { return List.of(buildAlert(List.of("X-Powered-By: PHP/5.4")).build()); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRuleUnitTest.java index c1d0572d6e2..b0a6b7053e8 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRuleUnitTest.java @@ -51,12 +51,8 @@ protected AntiClickjackingScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(1021))); - assertThat(wasc, is(equalTo(15))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRuleUnitTest.java index ecffa8470ff..0d8b84ef881 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRuleUnitTest.java @@ -80,12 +80,8 @@ public void setUpZap() throws Exception { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(4))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java index e7dd549c311..bb554d403d4 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java @@ -61,12 +61,8 @@ protected ContentSecurityPolicyScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(693))); - assertThat(wasc, is(equalTo(15))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), @@ -653,15 +649,15 @@ void shouldAlertOnReasonableCspWhichIncludesPrefetchsrc() { is(equalTo("Warnings:\nThe prefetch-src directive has been deprecated\n"))); } - private HttpMessage createHttpMessageWithReasonableCsp(String cspHeaderName) { + private static HttpMessage createHttpMessageWithReasonableCsp(String cspHeaderName) { return createHttpMessage(cspHeaderName, REASONABLE_POLICY); } - private HttpMessage createHttpMessage(String cspPolicy) { + private static HttpMessage createHttpMessage(String cspPolicy) { return createHttpMessage(HttpFieldsNames.CONTENT_SECURITY_POLICY, cspPolicy); } - private HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { + private static HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { HttpMessage msg = new HttpMessage(); String header = @@ -689,7 +685,7 @@ private HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { return msg; } - private HttpMessage createHttpMessage() { + private static HttpMessage createHttpMessage() { HttpMessage msg = new HttpMessage(); try { msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java index 48fb837d3d1..1e53f6825a0 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java @@ -40,7 +40,7 @@ protected ContentTypeMissingScanRule createScanner() { return new ContentTypeMissingScanRule(); } - private HttpMessage createMessage() throws HttpMalformedHeaderException { + private static HttpMessage createMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); @@ -60,12 +60,8 @@ private HttpMessage createMessage() throws HttpMalformedHeaderException { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(345))); - assertThat(wasc, is(equalTo(12))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRuleUnitTest.java index 4325e4db5ad..0a2882decf6 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRuleUnitTest.java @@ -62,12 +62,8 @@ protected CookieHttpOnlyScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(1004))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java index d982fcd9d06..872ca0b3dcd 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java @@ -62,7 +62,7 @@ protected CookieLooselyScopedScanRule createScanner() { return rule; } - private HttpMessage createBasicMessage() throws HttpMalformedHeaderException { + private static HttpMessage createBasicMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); @@ -72,12 +72,8 @@ private HttpMessage createBasicMessage() throws HttpMalformedHeaderException { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(565))); - assertThat(wasc, is(equalTo(15))); assertThat(tags.size(), is(equalTo(3))); assertAlertTags(tags); } diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRuleUnitTest.java index eb38a7ecec3..799222aa50a 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRuleUnitTest.java @@ -67,12 +67,8 @@ protected CookieSameSiteScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(1275))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRuleUnitTest.java index 4f797e47b5e..af59438bf00 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRuleUnitTest.java @@ -62,12 +62,8 @@ protected CookieSecureFlagScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(614))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRuleUnitTest.java index 1319b595e97..ca8c500438b 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRuleUnitTest.java @@ -47,12 +47,8 @@ protected CrossDomainMisconfigurationScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(264))); - assertThat(wasc, is(equalTo(14))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRuleUnitTest.java index 1093593f673..bbe76c0cf84 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRuleUnitTest.java @@ -71,12 +71,8 @@ protected CrossDomainScriptInclusionScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(829))); - assertThat(wasc, is(equalTo(15))); assertThat(tags.size(), is(equalTo(1))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A08_INTEGRITY_FAIL.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java index 90e9e5462c7..832b0aced33 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java @@ -98,12 +98,8 @@ protected CsrfCountermeasuresScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(352))); - assertThat(wasc, is(equalTo(9))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -461,7 +457,7 @@ void formWithoutAntiCsrfToken() { "
"); } - private HttpMessage createScopedMessage(boolean isInScope) throws URIException { + private static HttpMessage createScopedMessage(boolean isInScope) throws URIException { HttpMessage newMsg = new HttpMessage() { @Override diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java index 3666a88d064..51af0ccd859 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java @@ -37,7 +37,7 @@ class DirectoryBrowsingScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java index a71e545a85f..9fd6459538d 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java @@ -191,7 +191,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMsg(String hashVal) throws HttpMalformedHeaderException { + private static HttpMessage createMsg(String hashVal) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java index aa4e512c29a..bcc09ae1998 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java @@ -52,12 +52,8 @@ protected InfoPrivateAddressDisclosureScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -420,11 +416,11 @@ private static void validateAlert(String requestUri, Alert alert) { assertThat(alert.getUri(), equalTo(requestUri)); } - private HttpMessage createHttpMessage(String body) throws HttpMalformedHeaderException { + private static HttpMessage createHttpMessage(String body) throws HttpMalformedHeaderException { return createHttpMessage(URI, body); } - private HttpMessage createHttpMessage(String requestUri, String body) + private static HttpMessage createHttpMessage(String requestUri, String body) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); requestUri = requestUri.startsWith("http") ? requestUri : "http://" + requestUri; diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java index f7bf99d6a24..5a9a73f21d0 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java @@ -78,12 +78,8 @@ protected HttpMessage createHttpMessageWithRespBody(String responseBody) @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), @@ -483,7 +479,7 @@ void ignoreExposureToBookmark() throws HttpMalformedHeaderException, URIExceptio assertEquals(1, alertsRaised.size()); } - private void setUpHttpSessionsParam() { + private static void setUpHttpSessionsParam() { OptionsParam options = Model.getSingleton().getOptionsParam(); options.load(new ZapXmlConfiguration()); HttpSessionsParam httpSessions = new HttpSessionsParam(); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java index 9cf5e394bb3..82fb9754299 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRuleUnitTest.java @@ -92,12 +92,8 @@ protected HttpMessage createHttpMessageWithRespBody(String responseBody) @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRuleUnitTest.java index 35c935a15e9..29ec2d81dc8 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRuleUnitTest.java @@ -88,12 +88,8 @@ protected HttpMessage createHttpMessageWithRespBody(String testURI) @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java index acdabe8ec1e..81ae09b1af0 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRuleUnitTest.java @@ -90,12 +90,8 @@ public void setUpZap() throws Exception { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRuleUnitTest.java index 0173c809c4a..4cc5da35b10 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRuleUnitTest.java @@ -73,12 +73,8 @@ protected HttpMessage createHttpMessageWithRespBody(String responseBody, String @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java index 66377f1efa7..57cd8e06e31 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java @@ -59,12 +59,8 @@ protected InsecureAuthenticationScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(326))); - assertThat(wasc, is(equalTo(4))); assertThat(tags.size(), is(equalTo(5))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java index b01a4d3ee6a..74ee4f81b6a 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InsecureFormLoadScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java index 2015f5b042c..e161e9be743 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InsecureFormPostScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("https://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java index 971a44eda65..f991b4bab44 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java @@ -265,7 +265,8 @@ private static byte[] gzipCompress(byte[] value) throws IOException { return output.toByteArray(); } - private void setTextHtmlResponseHeader(HttpMessage msg) throws HttpMalformedHeaderException { + private static void setTextHtmlResponseHeader(HttpMessage msg) + throws HttpMalformedHeaderException { msg.setResponseHeader( "HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n" diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java index ae99a55752b..046b3afabb4 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java @@ -71,7 +71,7 @@ protected LinkTargetScanRule createScanner() { return rule; } - private String getHeader(String contentType, int bodyLength) { + private static String getHeader(String contentType, int bodyLength) { return "HTTP/1.1 200 OK\r\n" + "Content-Type: " + contentType diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java index 07b11643e61..f734c7e023a 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRuleUnitTest.java @@ -46,12 +46,8 @@ protected MixedContentScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(311))); - assertThat(wasc, is(equalTo(4))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java index d6f6b523f97..d7fa17312a5 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java @@ -484,7 +484,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMsg(String cardNumber) throws HttpMalformedHeaderException { + private static HttpMessage createMsg(String cardNumber) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader( diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java index b49f01c1192..918609b785b 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java @@ -38,7 +38,7 @@ class RetrievedFromCacheScanRuleUnitTest extends PassiveScannerTest tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java index ecf96cdb4a8..04f6fc0fcc8 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRuleUnitTest.java @@ -75,12 +75,8 @@ protected UsernameIdorScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(284))); - assertThat(wasc, is(equalTo(2))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java index 942d16a666d..765aa84a578 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ViewStateScanRuleUnitTest.java @@ -61,12 +61,8 @@ protected ViewstateScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(642))); - assertThat(wasc, is(equalTo(14))); assertThat(tags.size(), is(equalTo(2))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getTag()), @@ -253,7 +249,7 @@ void shouldRaiseAlertAsViewstateIsSplit() { * @param inject the string to inject * @return a base64 encoded string with the inject value injected at byte 40. */ - private String getViewstateWithText(String inject) { + private static String getViewstateWithText(String inject) { String base = "/wEPDwUJODczNjQ5OTk0D2QWAgIDD2QWAgIFDw8WAh4EVGV4dAUWSSBMb3ZlIERvdG5ldEN1cnJ5LmNvbWRkZMHbBY9JqBTvB5/6kXnY15AUSAwa"; byte[] decoded; diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java index 34fe89993a0..501ea21f3f6 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XAspNetVersionScanRuleUnitTest.java @@ -42,12 +42,8 @@ protected XAspNetVersionScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(933))); - assertThat(wasc, is(equalTo(14))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()), @@ -127,7 +123,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMessage(String header) throws HttpMalformedHeaderException { + private static HttpMessage createMessage(String header) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET http://www.example.com/test/ HTTP/1.1"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java index b1333447b2a..a681a4e0567 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRuleUnitTest.java @@ -40,7 +40,7 @@ class XBackendServerInformationLeakScanRuleUnitTest private static final String XBS_HEADER = "X-Backend-Server"; private static final String HEADER_VALUE = "developer1.webapp.scl3.mozilla.com"; - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java index ed80098e9ec..c9e9d370a33 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java @@ -53,7 +53,7 @@ class XChromeLoggerDataInfoLeakScanRuleUnitTest + "ZWN1cml0eUNvbnRleHQgd2l0aCBhbiBhbm9ueW1vdXMgVG9rZW4iLCJ1bmtub" + "3duIiwiaW5mbyJdXSwicmVxdWVzdF91cmkiOiJcL2xvZ2luIn0="; - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java index 61754af785b..02b75d6c877 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRuleUnitTest.java @@ -41,7 +41,7 @@ protected XDebugTokenScanRule createScanner() { return new XDebugTokenScanRule(); } - private HttpMessage createMessage() throws HttpMalformedHeaderException { + private static HttpMessage createMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java index 096d12ec80b..b06478804ae 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRuleUnitTest.java @@ -46,12 +46,8 @@ protected XPoweredByHeaderInfoLeakScanRule createScanner() { @Test void shouldReturnExpectedMappings() { // Given / When - int cwe = rule.getCweId(); - int wasc = rule.getWascId(); Map tags = rule.getAlertTags(); // Then - assertThat(cwe, is(equalTo(200))); - assertThat(wasc, is(equalTo(13))); assertThat(tags.size(), is(equalTo(3))); assertThat( tags.containsKey(CommonAlertTag.OWASP_2021_A01_BROKEN_AC.getTag()), diff --git a/addOns/pscanrulesAlpha/CHANGELOG.md b/addOns/pscanrulesAlpha/CHANGELOG.md index c588a8f089a..0884e63149b 100644 --- a/addOns/pscanrulesAlpha/CHANGELOG.md +++ b/addOns/pscanrulesAlpha/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Changed +- Maintenance changes. ## [43] - 2024-09-02 ### Changed diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java index 2156fb8090b..b933eef3791 100644 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java +++ b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/ExampleFilePassiveScanRule.java @@ -74,10 +74,10 @@ private AlertBuilder createAlert(String evidence) { return newAlert() .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setOtherInfo(getOtherInfo()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "other")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setWascId(13); } @@ -114,7 +114,7 @@ private String doesResponseContainString(HttpBody body) { return null; } - private List loadFile(String file) { + private static List loadFile(String file) { /* * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory */ @@ -161,20 +161,4 @@ public int getPluginId() { public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getOtherInfo() { - return Constant.messages.getString(MESSAGE_PREFIX + "other"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } } diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java index eb84d994601..8aae2333a89 100644 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java +++ b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java @@ -82,27 +82,14 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - private AlertBuilder buildAlert(String evidence) { return newAlert() .setConfidence(Alert.CONFIDENCE_LOW) .setRisk(Alert.RISK_LOW) .setEvidence(evidence) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) - .setSolution(getSolution()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setWascId(13) // WASC-13 Information Leakage .setCweId(209); // CWE-209: Generation of Error Message Containing Sensitive // Information diff --git a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java index aca648a79ec..1d28a8d70f5 100644 --- a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java +++ b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java @@ -229,7 +229,7 @@ protected FetchMetadataRequestHeadersScanRule createScanner() { return new FetchMetadataRequestHeadersScanRule(); } - private String generateRequestForMissingCase(String missingHeader) { + private static String generateRequestForMissingCase(String missingHeader) { switch (missingHeader) { case "Sec-Fetch-Site": return HTTP_METHOD + SFM_VALID_HEADER + SFD_VALID_HEADER + SFU_VALID_HEADER; @@ -248,7 +248,7 @@ private String generateRequestForMissingCase(String missingHeader) { } } - private String generateRequestForInvalidCase(String invalidHeader) { + private static String generateRequestForInvalidCase(String invalidHeader) { switch (invalidHeader) { case "Sec-Fetch-Site": return HTTP_METHOD diff --git a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java index 6e356ccfc02..bbd244f6899 100644 --- a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java @@ -156,7 +156,7 @@ protected FullPathDisclosureScanRule createScanner() { return new FullPathDisclosureScanRule(); } - private HttpMessage createMessage(String body, Integer status) throws URIException { + private static HttpMessage createMessage(String body, Integer status) throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrulesBeta/CHANGELOG.md b/addOns/pscanrulesBeta/CHANGELOG.md index 113aed971b4..e54a0baa5b7 100644 --- a/addOns/pscanrulesBeta/CHANGELOG.md +++ b/addOns/pscanrulesBeta/CHANGELOG.md @@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Fixed - Fix typo in log message. +### Changed +- Maintenance changes. + ## [41] - 2024-09-02 ### Fixed - A possible false positive condition with the Dangerous JS Functions scan rule with substrings in certain circumstances (Issue 8553). diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java index dc357fb94df..10855532a8b 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java @@ -692,7 +692,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private Long extractAgeValue(String directiveToken, int tokenLength) { + private static Long extractAgeValue(String directiveToken, int tokenLength) { int commaLocation = directiveToken.indexOf(",", tokenLength); return Long.parseLong( directiveToken.substring( diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java index 04e8b1b7ce7..bb19492d250 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java @@ -149,9 +149,9 @@ private AlertBuilder buildAlert(String evidence) { return newAlert() .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(749); // CWE-749: Exposed Dangerous Method or Function } @@ -192,18 +192,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public int getPluginId() { return PLUGIN_ID; diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java index f37f0c45498..b819007d69e 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java @@ -125,7 +125,7 @@ private AlertBuilder createAlert(String evidence) { .setCweId(502); // CWE-502: Deserialization of Untrusted Data } - private boolean hasJsoMagicSequence(String value) { + private static boolean hasJsoMagicSequence(String value) { return hasJsoBase64MagicSequence(value) || hasUriEncodedMagicSequence(value); } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java index b35040a49f5..c9516270523 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java @@ -692,9 +692,12 @@ private AlertBuilder createAlert(String programmingLanguage, String evidence) { .setName(getName() + " - " + programmingLanguage) .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription() + " - " + programmingLanguage) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription( + Constant.messages.getString(MESSAGE_PREFIX + "desc") + + " - " + + programmingLanguage) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(540) // Information Exposure Through Source Code .setWascId(13); // WASC-13: Information Leakage @@ -714,16 +717,4 @@ public int getPluginId() { public Map getAlertTags() { return ALERT_TAGS; } - - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java index 035502bb035..f9026b8193d 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java @@ -128,7 +128,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap tree) { + private static String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap tree) { String src = element.getAttributeValue("src"); if (src == null) { return ""; @@ -155,7 +155,7 @@ private String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap return integrityHash; } - private String getOtherInfo(HttpMessage msg, Element element, SiteMap tree) { + private static String getOtherInfo(HttpMessage msg, Element element, SiteMap tree) { String integrityHash = calculateIntegrityHash(msg, element, tree); if (integrityHash.isEmpty()) { return ""; diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java index d17a37c8d39..870c7b2b969 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java @@ -45,7 +45,7 @@ */ class CacheableScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setMethod("GET"); requestHeader.setURI(new URI("https://example.com/fred/", false)); @@ -55,7 +55,7 @@ private HttpMessage createMessage() throws URIException { return msg; } - private HttpMessage createMessageBasicAuthorization() throws URIException { + private static HttpMessage createMessageBasicAuthorization() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setMethod("GET"); requestHeader.setURI(new URI("https://example.com/fred/", false)); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java index ef0daceea43..10de1d47bbc 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InPageBannerInfoLeakScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage(String banner) throws URIException { + private static HttpMessage createMessage(String banner) throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java index e308bb8f4e4..87d07769ca7 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java @@ -267,7 +267,8 @@ void shouldReturnExpectedExampleAlert() { assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_LOW))); } - private HttpMessage createHttpMessageWithRespBody(String responseBody, String contentType) + private static HttpMessage createHttpMessageWithRespBody( + String responseBody, String contentType) throws HttpMalformedHeaderException, URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java index 673bb59a749..29a17cc7c55 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java @@ -222,7 +222,8 @@ private void assertNumberOfAlertsRaised(int expected) { assertEquals(expected, alertsRaised.size()); } - private HttpMessage createHttpMessageFromHtml(String html) throws HttpMalformedHeaderException { + private static HttpMessage createHttpMessageFromHtml(String html) + throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET " + URI + " HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200\r\n"); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java index abd47568f53..4f56dd483d5 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java @@ -243,11 +243,11 @@ void shouldHaveExpectedExamples() { assertThat(example.getName(), is(equalTo("Source Code Disclosure - PHP"))); } - private String wrapWithHTML(String code) { + private static String wrapWithHTML(String code) { return CODE_HTML + code + CODE_HTML; } - private void assertAlertAttributes(Alert alert, String evidence, final String language) { + private static void assertAlertAttributes(Alert alert, String evidence, final String language) { assertThat(alert.getRisk(), is(Alert.RISK_MEDIUM)); assertThat(alert.getConfidence(), is(Alert.CONFIDENCE_MEDIUM)); assertThat(alert.getName(), is(getLocalisedString("name") + " - " + language)); @@ -261,7 +261,7 @@ private void assertAlertAttributes(Alert alert, String evidence, final String la assertThat(alert.getWascId(), is(13)); } - private String getLocalisedString(String key, Object... params) { + private static String getLocalisedString(String key, Object... params) { return Constant.messages.getString("pscanbeta.sourcecodedisclosure." + key, params); } } From 141375be3ddc5090538e81245dfab5348032a839 Mon Sep 17 00:00:00 2001 From: kingthorin Date: Tue, 16 Jul 2024 13:25:28 -0400 Subject: [PATCH 2/2] ascanrulesAlpha: Add example alerts to example rules - CHANGELOG > Added change note. - Scan Rules > Added example alert handling, updated to conform to the common active scan rule tests. - Scan Rule Unit Tests > Added to assert the example alert and references, as well as common tests. Signed-off-by: kingthorin --- .../ExampleFileActiveScanRule.java | 30 +++++++---- .../ExampleSimpleActiveScanRule.java | 23 ++++---- .../resources/help/contents/ascanalpha.html | 4 +- .../resources/Messages.properties | 2 + .../ExampleFileActiveScanRuleUnitTest.java | 53 +++++++++++++++++++ .../ExampleSimpleActiveScanRuleUnitTest.java | 53 +++++++++++++++++++ 6 files changed, 143 insertions(+), 22 deletions(-) create mode 100644 addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRuleUnitTest.java create mode 100644 addOns/ascanrulesAlpha/src/test/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleSimpleActiveScanRuleUnitTest.java diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java index c15d6bc3a5a..66b168905a0 100644 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java +++ b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java @@ -43,7 +43,8 @@ * * @author psiinon */ -public class ExampleFileActiveScanRule extends AbstractAppParamPlugin { +public class ExampleFileActiveScanRule extends AbstractAppParamPlugin + implements CommonActiveScanRuleInfo { /** Prefix for internationalized messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanalpha.examplefile."; @@ -80,7 +81,7 @@ public String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getOtherInfo() { + private static String getOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "other"); } @@ -155,14 +156,7 @@ public void scan(HttpMessage msg, String param, String value) { String evidence; if ((evidence = doesResponseContainString(msg.getResponseBody(), attack)) != null) { // Raise an alert - newAlert() - .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setParam(param) - .setAttack(attack) - .setOtherInfo(getOtherInfo()) - .setEvidence(evidence) - .setMessage(testMsg) - .raise(); + createAlert(param, attack, evidence).setMessage(testMsg).raise(); return; } } @@ -194,7 +188,16 @@ private String doesResponseContainString(HttpBody body, String str) { return null; } - private List loadFile(String file) { + private AlertBuilder createAlert(String param, String attack, String evidence) { + return newAlert() + .setConfidence(Alert.CONFIDENCE_MEDIUM) + .setParam(param) + .setAttack(attack) + .setOtherInfo(getOtherInfo()) + .setEvidence(evidence); + } + + private static List loadFile(String file) { /* * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory */ @@ -244,4 +247,9 @@ public int getWascId() { // The WASC ID return 0; } + + @Override + public List getExampleAlerts() { + return List.of(createAlert("foo", "