ZAP active scan path traversal didn't trigger alert, solution?

[alex van]

hi there,

I am using active scan on ZAP for my web application.

There is a known path traversal vulnerability for a URL on my web application. When I run the active scan ( specifically i test for the path traversal), in the sent messages I can see that tons of messages are sent, including one of the path traversal case that i wanna test

 

for example:  ../etc/passwd

However, ZAP didn't add this into the "alerts". the response of my web application is a customized body message like "error: "true" . I check the source code PathTraversalScanRule.java, and it seems it didn't get the alert triggered by this type of body massage. 

I am thinking if I should modify the PathTraversalScanRule.java file and rebuild the ZAP to fit my need. or is there an easier way to do this without building a ZAP dev ?

[kingthorin+owaspzap]

I'm not sure why any DAST would assume that a random string such as "error: "true" would indicate a successful exploit.

You could write your own Active scan script that performs the attack and analyzes the response. Examples here: https://github.com/zaproxy/community-scripts/tree/main/active

[psiinon]

Also see https://www.zaproxy.org/blog/2014-04-30-hacking-zap-4-active-scan-rules/

As Rick said - "error: true" does not look like a good indication of a path traversal vulnerability in most apps.

If you think theres more to it and that ZAP should have detected this vulnerability then please let us know more details.

Cheers,

Simon

[alex van]

hi Kingthorin,

thanks for the suggestion about writing my own active scan script. I do think about it but i don't think that my situation is needed. 

I am happy using all the active scan rules by default provided in ZAP. Actually, my question is if there is a configuration that allows me to add a custom alert condition, for example, whenever I applied all the active scan rules for the attacks, and then there is a body message like "error:true" appearing in the response body + 200 OK which it would trigger the alert  ? 

Currently the web application I am testing, do have a "error:true" body response when the attacks are successfully applied by running the active rules provided by ZAP.

[psiinon]

If only all apps worked like this! :D

Unfortunately this is a really unusual case (as far as I am aware) so not something ZAP will handle 'out-of-the-box'.

However scripts will help.

You can write an httpsender script which checks active scan responses for that condition and then raise alerts. Those alerts will show you the payload but wont by default be easy to tie back to a specific rule.

But if you enable the inject plugin id in header for all active scan requests option then you will be able to see which rules caused the problem.

Cheers,

Simon