Raising new 3rd party JS alert

21 views
Skip to first unread message

Venkata Subrahmanyam

unread,
Sep 14, 2021, 5:12:48 PM9/14/21
to zaproxy...@googlegroups.com
Hey guys, 

I am trying to highlight a custom-built JS library in my firm. The in-built rule of ZAP does not pick it up obviously. If I want to pick it up, writing a new active/passive scan rule is the only way or is there some other way to pick up any libraries which I feel should be raising an alert.

Looking for a suggestion on the approach.

Thank you, 
Venkat

Virus-free. www.avast.com

This mail is governed by the Disclaimer Terms of  SIU which may be viewed at http://siu.edu.in/disclaimer.php

psiinon

unread,
Sep 15, 2021, 3:32:06 AM9/15/21
to OWASP ZAP Developer Group
Hi Venkat,

Could you explain what you mean by "highlight"?
What do you want ZAP to do and when do you want it to do that?

Cheers,

Simon

Venkata Subrahmanyam

unread,
Sep 15, 2021, 7:09:50 AM9/15/21
to zaproxy...@googlegroups.com
Hello, 

ZAP currently raises an alert if there is a 3rd party JS script present in the response. But, not all 3rd party JS are being raised as an alert. I want to add some more JS libraries to be flagged and be raised as an alert. I hope my explanation makes sense.

Venkat

Virus-free. www.avast.com

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/56a393f9-ec4a-43c0-80f6-b89df147462cn%40googlegroups.com.

psiinon

unread,
Sep 15, 2021, 7:17:45 AM9/15/21
to OWASP ZAP Developer Group
ZAP will raise alerts if there are external JS scripts referenced or if it detects an known JS library that is out of date.
The former should work in all cases.
Detecting out of date libraries is done via the Retire.js add-on which uses the retire.js project.
You could submit a patch to that project for publicly available 3rd party libraries but probably not for custom ones.
If you want to detect those being out of date you would probably have to create you own passive scan rule (which could be implemented as a script).

Cheers,

Simon

Venkata Subrahmanyam

unread,
Sep 15, 2021, 7:32:55 AM9/15/21
to zaproxy...@googlegroups.com
Thank you for your response. There are a couple of sites where 3rd party JS is not being raised as an alert. I understand custom libraries need to be tackled via a passive scan rule. But for external ones, I will raise a patch. 

Virus-free. www.avast.com

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/d3d3b9d8-f495-4bc9-b654-b9e033ad3408n%40googlegroups.com.

kingthorin+owaspzap

unread,
Sep 15, 2021, 9:50:17 AM9/15/21
to OWASP ZAP Developer Group
There are lots of examples of Passive Scan Script Rules here if you need ideas: https://github.com/zaproxy/community-scripts/tree/main/passive
Reply all
Reply to author
Forward
0 new messages