iframe issue

[Venkata Subrahmanyam]

Hello everyone, 

Does the ZAP scanner pick up iframe related issues ? I want to know if it is already there before I implement it. 

Thank you, 

Venkat

This mail is governed by the Disclaimer Terms of  SIU which may be viewed at http://siu.edu.in/disclaimer.php

[psiinon]

Hiya Venkat,

What sort of iframe issues were you thinking of?

The scan rules tend to focus on specific vulnerabilities rather than being focused on one technology.

You can see the full set of (non script) rules here: https://www.zaproxy.org/docs/alerts/

Cheers,

Simon

[Venkata Subrahmanyam]

Hey Simon,

I have iframes with vulnerable JS(Internally developed and open-source ones) across my organisation portfolio. I was wondering if there is a way all external JS can be checked from a list of verified sources and raise an alert only if the JS is not from a verified source. 

I understand Cross-Domain JS Inclusion module does this to an extent but it raises an alert if the JS is external to the site it is scanning. 

Any of your suggestions will be helpful. I am looking at over 3000 domains with this issue. 

I hope my reply made sense. 

Venkat

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/ed1fc3be-503a-4060-a7b0-bf582ab67ac9n%40googlegroups.com.

[psiinon]

The existing rules does already support this: https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#cross-domain-script-inclusion

By default the rule will not warn if the JS files are included in a context that the app being scanned is defined in.

To make use of this you need to define a context which includes your app and the JS files that you trust.

Will that work for you?

Cheers,

Simon

[Venkata Subrahmanyam]

Hi Simon, 

Only issue I see with this is I have around 2000 unique domains and hence unique contexts with respective JS in those contexts, too many files to manage. 

Would the below implementation be feasible: 
Ensure the Cross Domain JavaScript Inclusion module checks for vulnerable JS files in a common repository I maintain and return an alert if it matches. Although, I understand I have to customise the build. Are there any issues with this approach? I want to avoid having multiple context files. 

Thank you, 

Venkat

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/cf87c234-250d-466b-a51c-9159ec0db61cn%40googlegroups.com.

[psiinon]

You can definitely change this rule locally and use your version, but you will need to update it everytime we update those rules.

Alternatively you could create a script which loops through all of the Cross Domain JS alerts and deletes any which refer to sites that you trust. I think that would be easier to maintain. You could submit it to the community scripts repo as well: https://github.com/zaproxy/community-scripts

[Venkata Subrahmanyam]

Hello Simon, 

Thank you for your suggestion. So:

1. Run scan

2. Loop through the alerts for that alert ID

3. Remove alerts generated with evidence which I trust

The above is the approach, correct?

Thank you, 

Venkat

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/2e18cd96-6380-4ce2-8ed1-7428c54bdb40n%40googlegroups.com.