Hello, I haven't been using ZAP for very long so bare with me if I've missed something.
On an engagement, ZAP missed a blind OS command injection that I eventually found, but took much longer. I wanted to understand why it didn't raise an alert, so I dove into the source code (albeit after tweaking config and attempting to research the behavior) for the Command Injection plugin in the Active Scanning add-on.
I noticed that the
time-based blind detection uses a heuristic that only throws an alert if the delay is longer than the requested delay (ie sleep 5 must take longer then 5 seconds) AND if the delay is in the
99.9999999997440 percentile
of delays for that endpoint. The first condition makes sense to me, but the second one doesn't.
I did check the git blame and past issues surrounding this behavior, but this part of the addon hasn't really changed since 2014 and I'm not sure what the justification is for the delay needing to be 7 standard deviations away in order to be significant. I imagine this is to help prevent false positives, but I think it breaks the detection significantly in the following fairly reasonable situations:
- The endpoint in question already takes a long time (ie the mean is already high). In my case, the payload was being passed to a media conversion executable, so 5 sec+ delays were already the norm.
- The endpoint in question takes a varied amount of time (ie the standard deviation is high). In my case, some of the other payloads would break the conversion, so the delays were scattered between 5 sec+ to basically instant when the script call fails.
I was hoping to learn why it was written this way and if there are any plans to improve the heuristic to address the above situation.
My suggestion would be to instead send multiple very small delays, ie `sleep 1, 2, ..., 5`, and perform a
simple linear regression to see if the increment in payload delay correlates to an increment in actual delay. Then you could tie that numerical confidence threshold to the actual threshold configured for the add-on.
Let me know what you think, and thanks in advance!