JavaScript / Standalone / Search for HTML Comments
453 views
Skip to first unread message
kingt...@gmail.com
Mar 26, 2014, 8:32:19 AM3/26/14
to zaproxy...@googlegroups.com
I've put together what you might call an 'Advanced Comment Finding' script, based on the Targeted Comment Finding template and standard passive template. You can find it attached, and I'd be glad to get/address any feedback people might have.
It's based on this RegEx: http://regex101.com/r/dC9kW6
I'd like to get people's thoughts on it. As you can see it picks up the first 12 variations but not the 13th, which I think I'm actually perfectly fine with. If a HTML comment exists purely to house JavaScript then I don't think that's a major security concern. Developers have been doing so for a long time and they're not "real" comments.
The RegEx I'm proposing was grown from: http://ostermiller.org/findhtmlcomment.html
It's based on this RegEx: http://regex101.com/r/dC9kW6
I'd like to get people's thoughts on it. As you can see it picks up the first 12 variations but not the 13th, which I think I'm actually perfectly fine with. If a HTML comment exists purely to house JavaScript then I don't think that's a major security concern. Developers have been doing so for a long time and they're not "real" comments.
The RegEx I'm proposing was grown from: http://ostermiller.org/findhtmlcomment.html
Message has been deleted
kingthorin+owaspzap
May 28, 2014, 3:01:27 PM5/28/14
to zaproxy...@googlegroups.com
Updated version now allows you to return results per comment (using a
fakeParameter to differentiate) or "RollUp" all comments per URL.
The RegEx has also been tweaked slightly based on feedback from thc202.
Braces in the right positions this time.....
The RegEx has also been tweaked slightly based on feedback from thc202.
Braces in the right positions this time.....
kingthorin+owaspzap
Sep 23, 2014, 5:11:25 PM9/23/14
to zaproxy...@googlegroups.com
Note: This is actually a Passive script not a standalone.
kingthorin+owaspzap
Apr 28, 2015, 12:29:38 PM4/28/15
to zaproxy...@googlegroups.com
An up-to-date version of this script can be found in the official community scripts repo:
https://github.com/zaproxy/community-scripts/blob/master/passive/Find%20HTML%20Comments.js
https://github.com/zaproxy/community-scripts/blob/master/passive/Find%20HTML%20Comments.js
mar adrian belen
Apr 18, 2017, 7:55:18 AM4/18/17
to OWASP ZAP Scripts
How can I highlight found string?? for example, I created a script that searches email in the HTTP response and found emails should be highlighted.
kingthorin+owaspzap
Apr 18, 2017, 8:21:58 AM4/18/17
to OWASP ZAP Scripts
1) There's already a email finder script in the community repo:
2) You highlight things by specifying them as the "Evidence" when raising the alert:
2) You highlight things by specifying them as the "Evidence" when raising the alert:
- https://github.com/zaproxy/zaproxy/blob/develop/src/scripts/templates/passive/Passive%20default%20template.js#L23-L25
- https://static.javadoc.io/org.zaproxy/zap/2.6.0/org/zaproxy/zap/extension/pscan/scanner/ScriptsPassiveScanner.html#raiseAlert-int-int-java.lang.String-java.lang.String-java.lang.String-java.lang.String-java.lang.String-java.lang.String-java.lang.String-java.lang.String-int-int-org.parosproxy.paros.network.HttpMessage-
Reply all
Reply to author
Forward
0 new messages