Reflected XSS detection fail in ZAP 2.3.1
61 views
Skip to first unread message
Lea Viljanen
Sep 30, 2014, 7:09:18 AM9/30/14
to zaprox...@googlegroups.com
An application has a classic reflected XSS. This issue was automatically found by BURP and manually verified. But ZAP can't find it.
GET http://xxxxx/sync.php?action=control&ACTION=Do&ACTIONTARGET=123456&OCP=1
Now, if the ACTIONTARGET param an contains Javascript, for example
ACTIONTARGET=%3Cscript%3Ealert%281%29%3C%2fscript%3E
it will be reflected to the user as is in the response
HTTP/1.1 200 OK
Date: Tue, 30 Sep 2014 10:32:17 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 58
Connection: close
Content-Type: text/html; charset=UTF-8
Tue 13:32:17.7058: invalid code <script>alert(1)</script>
Originally the application had this in a POST request, but the app accepts also GETs, so this is a valid issue. ZAP can't find this either way. This should be the simplest XSS there is?
This is pretty much new installation of ZAP 2.3.1 and I have updated all the XSS rulesets.
Also tried manually attacking this single URL, but still no go? If I look at the attack URLs generated by the Active Scan, I can't see any XSS strings placed in the ACTIONTARGET parameter. Path traversal and SQLi, yes, but no XSS strings? However, the ACTION parameter does get some XSS love...
If I do an "Active scan advanced" to this single URL, select only XSS attacks, ZAP conducts only ten (10) requests to the whole four parameter URL and then freezes at 50%. At this point the command windows says ZAP has completed host/plugin xxxxxx | TestCrossSiteScriptV2 but apparently something else is still going on.
Is XSS detection broken or is this a user error? Where have I gone wrong?
Simon Bennetts
Oct 1, 2014, 6:19:07 PM10/1/14
to zaprox...@googlegroups.com
Hi Lea,
Thats very strange.
Are there any errors recorded in the zap.log file?
This will usually be in the default ZAP directory: https://code.google.com/p/zaproxy/wiki/FAQconfig
ZAP should definitely detect that sort of vulnerability.
It doesnt sound like you've done anything wrong.
Can you also try using the Advanced Active Scan dialog and highlight the ACTIONTARGET value (eg 123456 in your example) as a custom vector, disable the non custom vectors and just use the Reflected XSS rule.
Many thanks,
Simon
Thats very strange.
Are there any errors recorded in the zap.log file?
This will usually be in the default ZAP directory: https://code.google.com/p/zaproxy/wiki/FAQconfig
ZAP should definitely detect that sort of vulnerability.
It doesnt sound like you've done anything wrong.
Can you also try using the Advanced Active Scan dialog and highlight the ACTIONTARGET value (eg 123456 in your example) as a custom vector, disable the non custom vectors and just use the Reflected XSS rule.
Many thanks,
Simon
Reply all
Reply to author
Forward
0 new messages