Hello,
Thanks for replying!
> The paper is a bit of a big beast, so it's unlikely that you have
> implemented 100% of it. I'm interested in the small number of special cases
> that the authors identified regarding false positives (Section 3.3.1 in the
> paper): does the scanner look for those cases, and ignore them?
> Does your implementation look at the effect of the order of the parameters
> at all? ie, does it do the P-Scan, or just the (more necessary) V-Scan?
I based the plugin on that paper, but I have not implemented 100% of
it so far. I thought determining the parameter precedence would
required additional requests and for this first commit I have not
developed it. However, it is a nice feature to include in the
following days. I have not make it to get any false positive so far.
> How does this version differ from the existing Parameter pollution scanner
> available on the extensions download page
> (zap-ext-servletParamPollution-alpha-1.jar)?
AFAIK, the algorithm is completely different. If I understood well the
code, the previous extension checks for the action attribute in the
form tags. If not available, it raises the alert.
On the other hand, the new one identifies all the input fields of the
targeted page, it injects a HPP payload in each one of those. After
it, it analyzes the body response to determine if the payload is
displayed back in a link. If so, it raises an alert. I think we are
looking for different things.
> You could test this against some of the test case suites mentioned in
> previous mails. You're likely to find HPP vulnerabilities in some of the
> suites, even though they were not designed as HPP test cases. It's also a
> good idea to test the scanner on a few different platform types: JSP based,
> PHP based, etc.
I did not know about those threads, I will look for them, test it and
post the results. Thanks!
Guifre.