Active Scan- Alert Not raised

[Nathan Sitbon]

Hey,

After numerous tries and tests with the active scan module, I discovered that the "ExampleSimpleActiveScanRule" and my personal add-ons that were based on it did not always raise an alert during active scan.

The alert should always be raised; because there are no specific rules or logic in the scan method. I don't know why alerts aren't always raised, though.

 

The code is very simple .. ( I always use the same policy )

@Override
public void scan(HttpMessage msg, String param, String value) {
if (!Constant.isDevBuild()) {
return;
}

HttpMessage testMsg = getNewMsg();

buildAlert()
.setMessage(testMsg)
.setParam(param)
.setUri("https://testing.com")
.setAttack(value)
.raise();

}

Thank you for your help.

[thc...@gmail.com]

Hi.

The `ExampleSimpleActiveScanRule` is not expected to raise alerts
always, it raises alerts randomly.

The code provided should raise always though (assuming you are always
running as a dev build. I'd suggest removing the dev build check, that
was only meant for the example scan rule).

How are you telling that the alerts are not raised?

Best regards.

[Nathan Sitbon]

Hi

The condition that checks the random number was already removed from "ExampleSimple.."
I just removed the dev build check, and the alerts are still not raised.

[psiinon]

How are you running the scan?

Have you checked to see that the rule is enabled and is being run?

Cheers,

Simon

[Nathan Sitbon]

Hi,

I ran them from ZAP GUI active scan menu.

Yes I checked the scan rule is enable.

[psiinon]

"0 message(s) sent" looks "interesting" :)

Basically it is not getting run, for some reason.

I'd put in extra log messages to see whats going on, but you could use a debugger instead if thats your prefered route.

Note that this rule just targets the "C" language, so if you are not including that in your scan config then this rule will not be run.

Cheers,

Simon

[thc...@gmail.com]

btw, why are you implementing a scan rule? If the scan happens on the
Cherrybomb side you should raise the alerts directly rather than do it
through a scan rule.

Best regards.

[Nathan Sitbon]

Hey @thc202

I was unable to raise a passive/active alert directly from the add-ons.

Alerts are raised without issue when a scan rule is implemented, but nothing happens when I create an alert and raise it from my class.

Best regards.

[psiinon]

In that case you are doing something wrong😀

If you share your code we might be able to help...

Cheers

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/c4653a26-e324-46e1-8ea3-43c3f818766dn%40googlegroups.com.

[Nathan Sitbon]

I got an java.nullPointerException when I call the "voidraiseAlert" method.

I simplify my code by leaving only the essentials. This is how my code looks.

From the "ExtensionCherryBomb" file :

menuExample.addActionListener(
e -> {
 
displayFile(EXAMPLE_FILE); // display the first message
 
try {
CherryBombPassive sc = new CherryBombPassive();
sc.voidraiseAlert();


} catch (IOException ee) {
throw new RuntimeException(ee);
} 

}

My "CherryBombPassive.java" class  file:

public class CherryBombPassive extends PluginPassiveScanner {
 
private static Vulnerability vuln = Vulnerabilities.getVulnerability("wasc_60");
private static final Logger logger = LogManager.getLogger(CherryBombPassive.class);


 

@Override
public int getPluginId() {
 
return 110009;
}

public void voidraiseAlert(){
try {
newAlert()
.setName(getName())
.setPluginId(getPluginId())
.setRisk(Alert.RISK_MEDIUM)
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setDescription(getDescription())
.setSolution(getSolution())
.setReference(getReference())
.raise();
}
catch (Exception e) {
System.out.println("error to create alert "+ e);
}
}
@Override
public String getName() {
 
if (vuln != null) {
return "Example Passive CB from addons passive Scan Rule: " + vuln.getAlert();
}
return "Example Passive Scan Rule: CB From ADDONS";
}

public String getDescription() {
if (vuln != null) {
return vuln.getDescription();
}
return "Failed to load vulnerability description from file";
}

public String getSolution() {
if (vuln != null) {
return vuln.getSolution();
}
return "Failed to load vulnerability solution from file";
}
public String getReference() {
if (vuln != null) {
StringBuilder sb = new StringBuilder();
for (String ref : vuln.getReferences()) {
if (sb.length() > 0) {
sb.append("\n");
}
sb.append(ref);
}
return sb.toString();
}
return "Failed to load vulnerability reference from file";
}
}

[thc...@gmail.com]

When raising the alerts directly you need to do it through the
`ExtensionAlert`, e.g.:
https://github.com/zaproxy/zap-extensions/blob/0dd3920424e68346e307f73b6cdd226eae9e943e/addOns/accessControl/src/main/java/org/zaproxy/zap/extension/accessControl/AccessControlAlertsProcessor.java#L83-L113

Best regards.

>>> <https://groups.google.com/d/msgid/zaproxy-develop/c4653a26-e324-46e1-8ea3-43c3f818766dn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>