Modifying the Buffer Overflow rule in ZAP

[Christopher Kalaani]

I'm planning on modifying the Buffer Overflow rule in ZAP using the Boyer Moore algorithm and running it as a custom script. The goal here is that the modified rule might find buffer overflow vulnerabilities faster.

For starters, I want to just ask how exactly running a script like this would work. Since there is already a rule in place for finding buffer overflow vulnerabilities, would the two run simultaneously? Is there a way I can run this script without the pre-existing buffer overflow rule interfering with the scan results?

[kingthorin+owaspzap]

Active Scan Scripts are a separate items within the Active Scan Policy. So you can disable everything but your scripted rule(s).

When running active scan it's multi-threaded so there's a small chance that they might run at the same time, but unlikely.

Doing any kind of string search/comparison can be really slow, you might want to look at ComparableResponse, if speed is the goal. Though I'll admit I haven't gone to look at how the current rule works (so forgive me if I'm off base).

[Christopher Kalaani]

Thank you for the response.

Can you please explain what that add on does?

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/ca701438-ce8c-4392-80c4-d11fab3ad6dbn%40googlegroups.com.

[kingthorin+owaspzap]

commonlib is an add-on that contains shared functionality used by a number of add-ons maintained by the ZAP team.

ComparableResponse (the code was linked before) is just an efficient mechanism to compare various response elements vs. doing costly string processes/regex'ing/comparison.

[Christopher Kalaani]

So if I wanted to find a certain vulnerability faster, are you suggesting that it would be better to implement that add-on as opposed to modifying one of the rules with the Boyer Moore algorithm?

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/1f0d4637-c3f0-4b37-9dc0-850261cd47d7n%40googlegroups.com.

[kingthorin+owaspzap]

I don't necessarily want to sway you away from your idea, I was just suggesting it as an option.

There's also a DiceMatcher available, which was added to replace (or provide an alternative to) Hirschberg which had terrible performance.

[Christopher Kalaani]

I see, thank you for the feedback. The modification of the rule is for the purposes of my Thesis, which is why I'm investigating that in particular.

With that being said, I want to just ask if you or anyone on the ZAP development team is familiar with the Boyer Moore algorithm, and could possibly provide direction on how I could go about modifying the buffer overflow rule with it. Any kind of help with tackling this would be greatly appreciated, honestly.

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/6b56b07e-8d98-4f7c-8202-dc9757651202n%40googlegroups.com.

[kingthorin+owaspzap]

To be honest I assumed you'd already done some research on the pieces.You seem to have honed in on the Buffer Overflow rules specifically so I assumed you already checked it's logic to know if it could/should benefit from changes you're suggesting.

Looking at it quickly now I don't see any serious string comparison so whether it uses Boyer Moore or not seems irrelevant :(

[Christopher Kalaani]

Well I have spent some time looking through the code for the buffer overflow rule to see how I could go about modifying it, but I was struggling to figure it out as I'm not too familiar with how it all works.

If that's the case then I guess it's not an appropriate rule to modify in that manner. Do you think an injection based vulnerability would be more suitable for what I'm trying to do?

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/200509ae-444e-4fb9-a3fa-3485ff984225n%40googlegroups.com.

[Christopher Kalaani]

Does anyone on the ZAP development team know what kind of rule would be appropriate to modify with the Boyer Moore algorithm for the purposes of improving processing time and how I could get started going about doing that?

It's no problem if this is perhaps outside of your area of knowledge, I'm just not sure who or where else to seek help for this as I'm really not familiar enough with this application to figure this out on my own.

On Mon, Dec 12, 2022 at 2:51 PM kingthorin+owaspzap <kingt...@gmail.com> wrote:

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/200509ae-444e-4fb9-a3fa-3485ff984225n%40googlegroups.com.

[Arkaprabha Chakraborty]

I know ZAP's commonlib has a comparabale response which gives a heuristic score on how how similar certain sections of two HTTP Responses are. Probably that can be improved?

There are certain areas in XSS scan rule which searches for reflection of payload. HtmlContext as far as I remember. Can be "probably" improved too.

I'm not certain tho :). But yeah these two as far as I can tell can possibly use the algorithm for pattern matching.

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAF1139eh29g-F0JARmmDz3_KU%3D%3DnD8eBF6U6tCxS6dzDds2LnQ%40mail.gmail.com.

[Christopher Kalaani]

I know kingthorin mentioned comparableresponse, and I figured maybe an injection based rule would be appropriate...I will look into both of those.

Thank you for the response.

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAE5CH0fF6C3SjjEa5TN%3DzqXnRN9iHX%3DLSPLPUJ0C%2BPt0zN2WPw%40mail.gmail.com.

[Christopher Kalaani]

I had another quick question, would the SQL injection rules be suitable for modification as well since they are similar to XSS?

On Tue, Jan 10, 2023 at 2:38 PM Arkaprabha Chakraborty <chakrabortya...@gmail.com> wrote:

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAE5CH0fF6C3SjjEa5TN%3DzqXnRN9iHX%3DLSPLPUJ0C%2BPt0zN2WPw%40mail.gmail.com.