Skip to content

ascanrules: SQLi: add checking for redirection after form input #3284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ascanrules: SQLi: add checking for redirection after form input #3284

wants to merge 1 commit into from

Conversation

@koneko096
Copy link

@koneko096 koneko096 commented Oct 29, 2021
edited
Loading

In case of redirection after form input, the body may be empty and content comparison won't work. By adding new checking for location header, we may catch potential vulnerability after boolean or arithmetic expression.

Fixes: #6883

@thc202
Copy link
Member

thc202 commented Oct 29, 2021

ideally the changes should be accompanied with a test(s) that verifies them.

IMO it would be better apply the header check to all injections not just OR, this also applies to any redirection (likely in any form) not just logins.

thc202
thc202 reviewed Oct 29, 2021
View reviewed changes
@kingthorin
Copy link
Member

@koneko096 are you going to address the earlier feedback?

@koneko096
Copy link
Author

Sure @kingthorin, will continue again this week

@kingthorin
Copy link
Member

@koneko096 do you plan to finish this?

@koneko096 koneko096 force-pushed the sqli-by-redirection branch from decc869 to 89c1c33 Compare April 16, 2022 14:07
@koneko096 koneko096 force-pushed the sqli-by-redirection branch from 89c1c33 to e42cb43 Compare April 16, 2022 15:18
@koneko096 koneko096 changed the title ascanrules: SQLi: add checking for redirection after login ascanrules: SQLi: add checking for redirection after form input Apr 16, 2022
@koneko096 koneko096 force-pushed the sqli-by-redirection branch 2 times, most recently from cc93987 to 81877de Compare April 16, 2022 22:55
@koneko096
Copy link
Author

Hi @kingthorin, I had updated following earlier feedbacks. Please help to review. Thank you

kingthorin
kingthorin reviewed Apr 30, 2022
View reviewed changes
@kingthorin kingthorin added the waiting-for:author This issue or PR is currently waiting for input or changes from the original submitter label May 5, 2022
@koneko096 koneko096 force-pushed the sqli-by-redirection branch 2 times, most recently from aedf34a to d2a26e3 Compare May 7, 2022 16:10
kingthorin
kingthorin approved these changes Dec 27, 2022
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven’t tested against anything else but seems okay to me.

@koneko096 koneko096 requested a review from thc202 January 3, 2023 04:58
@kingthorin kingthorin removed the waiting-for:author This issue or PR is currently waiting for input or changes from the original submitter label Mar 22, 2023
@koneko096 koneko096 force-pushed the sqli-by-redirection branch 2 times, most recently from 2b96865 to 5fc820f Compare January 15, 2024 17:21
@koneko096
Add checking for location header
9dc141d 
In case of redirection after authentication, the body may be empty and content comparison won't work. By adding new checking for location header, we may catch potential vulnerability especially in case of OR true injection.

Signed-off-by: koneko096 <[email protected]>
@koneko096 koneko096 force-pushed the sqli-by-redirection branch from 5fc820f to 9dc141d Compare January 15, 2024 17:22
@koneko096
Copy link
Author

hey guys @kingthorin @thc202 any follow up on this MR?

kingthorin
kingthorin reviewed Apr 9, 2024
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems okay overall to me. It should be rebased to pickup the latest base branch changes.

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java
Comment on lines +1959 to +1960
String confirmExpressionLocationHeader =
msg.getResponseHeader().getHeader(HttpHeader.LOCATION);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could extract a convenience method for this accepting HttpMessage and returning String.

Then leverage it throughout.

...anrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRuleUnitTest.java
Comment on lines +248 to +254
protected Response getResponse(String value) {
Response response =
newFixedLengthResponse(
Response.Status.REDIRECT, NanoHTTPD.MIME_HTML, "");
response.addHeader("Location", "http://somewhere");
return response;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could extract to a convenience method to avoid duplication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kingthorin kingthorin kingthorin approved these changes

@thc202 thc202 Awaiting requested review from thc202

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ZAP does not detect SQL Injection in demo.testfire.net login page

3 participants

@koneko096 @thc202 @kingthorin