Relative Path Confusion (and other scanners)

Colm O'Flaherty

unread,

Feb 24, 2015, 5:41:20 AM2/24/15

to zaproxy...@googlegroups.com

Recently, there has been some publicity around a "new" relative-path related vulnerability, which turns out was identified a year or so ago. ZAP did not have the capability to check for this vulnerability, so I've added it. The scanner is called "Relative Path Confusion", because I think the problem is probably bigger than just being used to import HTML as CSS. The recommendations I've included for the vulnerability differ slightly from those documented on the PortSwigger blog because I think the most important fix is the correct use of the HTML "<base>" tag to eliminate any confusion around relative paths. This is not mentioned on the blog or on other references I can find, but I think it makes sense.

I've also reserved ids for the following, since I have these working on my local machine, but i need more test cases before I can commit the code:

10049 - Cacheability and Retrievability Content (Non-Cacheable Content, Cacheable but Non-Retrievable Content, Cacheable and Retrievable Content)
10050 - Retrieved from Cache
40025 - Proxy Disclosure

If you have time, please have a play with the Relative Path Confusion scanner. If any queries/false pos/false negs arise, please let me know. As usual. please remember that it's still alpha, so there will be cases I have not (yet) tested.

Stay legal!

Colm

psiinon

unread,

Feb 24, 2015, 6:00:55 AM2/24/15

to zaproxy...@googlegroups.com, colm.p.o...@gmail.com

Nice one!

kingthorin+owaspzap

unread,

Feb 24, 2015, 8:24:55 AM2/24/15

to zaproxy...@googlegroups.com, colm.p.o...@gmail.com

Thanks Colm, great addition!

Reply all

Reply to author

Forward