-
-
Notifications
You must be signed in to change notification settings - Fork 750
HelpAddonsAscanrulesAlphaAscanalpha
The following alpha quality active scan rules are included in this add-on:
Tests to see if the server is vulnerable to the Apache Range Header Denial of Service issue, by requesting eleven (11) different byte ranges. Eleven ranges is one more than is accepted by patched/fixed servers.
Tests cookies to detect if some have no effect on response size when omitted, especially cookies containing the name "session" or "userid"
Tests to see if the Error Logging Modules and Handlers (elmah.axd) HTTP Module is available. Although this module is handy for developers and other stakeholders it can also leak a significant amount of information which a security analyst or malicious individual may be interested in.
The ELMAH scanner targets Microsoft based technologies: IIS, Windows, ASP, and MSSQL.
This implements an example active scan rule that loads strings from a file that the user can edit. For more details see: http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html
This implements a very simple example active scan rule. For more details see: http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.
This active scanner checks whether an HTTP site is served under HTTPS.
This active scanner checks whether a site is using the HTTP Proxy header specified in the request. It sets up an HTTP proxy which listens to all interfaces on a randomly assigned free port. It then sends a series of requests to the target server with the HTTP Proxy header set to each of the available IP addresses and the port that it is listening on. If a request is received on the new port then the server is very likely to be vulnerable. IMPORTANT - the computer that ZAP is running on must accept incoming requests on arbitrary ports - if a firewall prevents incoming connections then this rule will not work.
This active scanner attempts to access content that was originally accessed via HTTPS (SSL/TLS) via HTTP.
LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.
This active scanner attempts to inject MsSQL specific sleep commands into parameter values and analyzes the server's response time to see if the sleep is effectively executed on the server (indicating a successful SQL injection attack).
Uses local file inclusion techniques to scan for files containing source code on the web server.
Uses Git source code repository metadata to scan for files containing source code on the web server.
Tests to see if Trace Viewer (trace.axd) is available. Although this component is convenient for developers and other stakeholders it can leak a significant amount of information which a security analyst or malicious individual may be interested in.
The trace.axd scanner targets Microsoft based technologies: IIS, Windows, ASP, and MSSQL.
This active scanner checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The scanner compares the response statuscode and the hashcode of the response body with the original response.