Does Zap detect stored XSS?

671 views
Skip to first unread message

shungkai lam

unread,
Sep 8, 2017, 9:55:25 PM9/8/17
to OWASP ZAP Developer Group
I noticed Zap does a lot of reflective XSS tests and detections, but it didn't detect a stored XSS that I found manually.

Is it because it determines vulnerabilities by HTTP responses only?

The stored XSS returns a HTTP response status of 200 and no echoing of the "<script>alert(1)</script>".

The stored XSS script shows itself on a different URL later.

psiinon

unread,
Sep 11, 2017, 2:55:53 AM9/11/17
to OWASP ZAP Developer Group
It does, as per https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules#cross-site-scripting-persistent

Note that you have to have visited the page that shows the XSS vulnerability _before_ running the scan - as always exploring you application effectively is key.
Can you try that and let us know if ZAP now finds it?

Cheers,

Simon

shungkai lam

unread,
Sep 11, 2017, 7:49:19 PM9/11/17
to OWASP ZAP Developer Group
Thanks for the explanation.  Now the detection approach makes more sense.  

However, it still does not detect my stored XSS when I followed the visit page (and create), crawl, actively scan sequence a few times.
When it is doing active scanning, I can see the same POST on the visited page (URL).  But the JSON payload that I used to visit the page is different from the one the active scan is using.

psiinon

unread,
Sep 12, 2017, 2:45:10 AM9/12/17
to OWASP ZAP Developer Group
Unfortunately my telepathy isnt that great ;)
Can you give us examples of your payload and the ones ZAP sends?
The HTML that results in the XSS would also help.

Cheers,

Simon
Message has been deleted

shungkai lam

unread,
Sep 12, 2017, 5:32:08 PM9/12/17
to OWASP ZAP Developer Group
When I manually post, the payload is:

[{"generic":{"name":"<script>alert(1)</script>",

"memory":2048,"cpus":2,"description":"desc777","cores":1,"disks":[{"disk_address":{"bus":"IDE"}}],"vm_features":{"AGENT_VM":false}}}]


When zap active scan posts, the payload is:


[{"generic":{"name":"vm777","memory":2048,"cpus":2,"description":"desc777","cores":1,"disks":[{"disk_address":{"bus":"<script>alert(1);</script>"}}],"vm_features":{"AGENT_VM":false}}}]


This payload POST was rejected by the server because the bus attribute value "<script>..." is checked and rejected by the server.


For some reason, active scan does not attempt to plug "<script>..." into the attribute name.


I think active scan would need to enumerate on all string fields here, each plug in "<script>alert(1)</script>" to get a successful POST to the server.

thc...@gmail.com

unread,
Sep 12, 2017, 5:34:16 PM9/12/17
to zaproxy...@googlegroups.com
Hi.

Which ZAP version are you using?

Best regards.

On 12/09/17 22:32, shungkai lam wrote:
> When I manually post, the payload is:
>
> [{"generic":{"name":"*<script>alert(1)</script>*",
>
> "memory":2048,"cpus":2,"description":"desc777","cores":1,"disks":[{"disk_address":{"bus":"IDE"}}],"vm_features":{"AGENT_VM":false}}
> }]
>
>
> When zap active scan posts, the payload is:
>
>
> [{
> "generic":{"name":"vm777","memory":2048,"cpus":2,"description":"desc777","cores":1,"disks":[{"disk_address":{"bus":"
> *<script>alert(1);</script>*"}}],"vm_features":{"AGENT_VM":false}}}]

shungkai lam

unread,
Sep 12, 2017, 5:42:46 PM9/12/17
to OWASP ZAP Developer Group
2.6.0
Reply all
Reply to author
Forward
0 new messages