-
-
Notifications
You must be signed in to change notification settings - Fork 750
HelpAddonsAscanrulesAlphaAscanalpha
The following alpha quality active scan rules are included in this add-on:
Checks for web accessible .htaccess files which may leak sensitive information (such as usernames, error handling, redirects, directory listing settings, etc).
This implements an example active scan rule that loads strings from a file that the user can edit. For more details see: Hacking ZAP Part 4: Active Scan Rules.
Tests to see if the server is vulnerable to the Apache Range Header Denial of Service issue, by requesting eleven (11) different byte ranges. Eleven ranges is one more than is accepted by patched/fixed servers.
Tests cookies to detect if some have no effect on response size when omitted, especially cookies containing the name "session" or "userid"
Tests to see if the Error Logging Modules and Handlers (elmah.axd) HTTP Module is available. Although this module is handy for developers and other stakeholders it can also leak a significant amount of information which a security analyst or malicious individual may be interested in.
The ELMAH scanner targets Microsoft based technologies: IIS, Windows, ASP, and MSSQL.
Checks for web accessible .env files which may leak sensitive information (such as usernames, passwords, API or APP keys, etc).
This implements a very simple example active scan rule. For more details see: Hacking ZAP Part 4: Active Scan Rules.
This scanner takes application/x-www-form-urlencoded POST requests, changes the parameters from POST to GET and resubmits the request. If the GET response is the same as the original POST response then an alert is raised. While this does not necessarily represent a security weakness unto itself it may indicate that other attacks or weaknesses can be expanded or simplified. (Such as a POST based Cross-Site Scripting (XSS) attack being changed to GET.)
This active scanner checks whether an HTTP site is served under HTTPS.
This active scanner checks whether a site is using the HTTP Proxy header specified in the request. It sets up an HTTP proxy which listens to all interfaces on a randomly assigned free port. It then sends a series of requests to the target server with the HTTP Proxy header set to each of the available IP addresses and the port that it is listening on. If a request is received on the new port then the server is very likely to be vulnerable. IMPORTANT - the computer that ZAP is running on must accept incoming requests on arbitrary ports - if a firewall prevents incoming connections then this rule will not work.
This active scanner attempts to access content that was originally accessed via HTTPS (SSL/TLS) via HTTP.
LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.
Attempts to detect and fingerprint proxy server(s). This information helps a potential attacker to determine:
- A list of targets for an attack against the application.
- Potential vulnerabilities on the proxy servers that service the application.
- The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.
Tests if the web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. If resources (CSS, images, etc) are references in the response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability.
Uses local file inclusion techniques to scan for files containing source code on the web server.
Uses Git source code repository metadata to scan for files containing source code on the web server.
This active scanner attempts to inject MsSQL specific sleep commands into parameter values and analyzes the server's response time to see if the sleep is effectively executed on the server (indicating a successful SQL injection attack).
This active scanner attempts to inject SQLite specific commands into parameter values and analyzes the server's responses to see if the commands were effectively executed on the server (indicating a successful SQL injection attack).
Tests to see if Trace Viewer (trace.axd) is available. Although this component is convenient for developers and other stakeholders it can leak a significant amount of information which a security analyst or malicious individual may be interested in.
The trace.axd scanner targets Microsoft based technologies: IIS, Windows, ASP, and MSSQL.
This active scanner checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The scanner compares the response statuscode and the hashcode of the response body with the original response.