Passive Scan rules - testing text responses other than HTML
30 views
Skip to first unread message
psiinon
May 12, 2016, 8:21:13 AM5/12/16
to OWASP ZAP Developer Group
Some of the passive scan rules just check text responses, which includes HTML, JavaScript, JSON and XML.
I'm wondering if some of them should only test HTML responses, either at the default (medium) or high threshold.
Some release quality examples:
I'm wondering if some of them should only test HTML responses, either at the default (medium) or high threshold.
Some release quality examples:
- Web Browser XSS Protection Not Enabled
- X-Frame-Options Header Not Set
- X-Content-Type-Options Header Missing
Also, the "Incomplete or No Cache-control and Pragma HTTP Header Set" rule explicitly ignores CSS files but doesnt ignore JavaScript ones, which seems a little bit strange?
So ... should any of these rules be changed to ignore non HTML responses, and if so at what threshold?
Cheers,
Simon
kingthorin+owaspzap
May 27, 2016, 3:55:15 PM5/27/16
to OWASP ZAP Developer Group
For XFO and XXS Protection I think we're probably good to only consider HTML type responses, or actually maybe it would be better to say not JS and not CSS? Since being able to frame a json or xml component may provide a DoS mechanism...if a third party can frame a json or xml component whose generation is resource intense?
However, for XCTO I think we'd be concerned with the browser mime-sniffing the response (css, js, json, xml, whatever) away from the declared type.
However, for XCTO I think we'd be concerned with the browser mime-sniffing the response (css, js, json, xml, whatever) away from the declared type.
Reply all
Reply to author
Forward
0 new messages