Unrecognized source-expression 'wasm-unsafe-eval'
149 views
Skip to first unread message
Porter Loring
Sep 27, 2023, 10:18:24 AM9/27/23
to ZAP User Group
Hello,
We have a wasm app and just started seeing a
CSP: Notices alert using ZAP 2.13:
Errors: Unrecognized source-expression 'wasm-unsafe-eval'
Errors: Unrecognized source-expression 'wasm-unsafe-eval'
The CSP has this source expression under script-src
script-src 'self' 'wasm-unsafe-eval';
script-src 'self' 'wasm-unsafe-eval';
I am not sure why this is being flagged as "unrecognized source expression". I thought it might be the single quotes but without those all modern browsers then block the content and the web app no longer works.
Any idea?
Thanks!
Simon Bennetts
Sep 27, 2023, 10:26:04 AM9/27/23
to ZAP User Group
Probably because we are using https://github.com/shapesecurity/salvation to analyze the CSP, and it looks like that has not been updated for a while :/
Related issue: https://github.com/shapesecurity/salvation/issues/260
If anyone knows a more up-to-date library we can use then please let us know...
Cheers,
Simon
Porter Loring
Oct 17, 2023, 1:01:29 PM10/17/23
to zaprox...@googlegroups.com
Is there a way to set an alertFilter to target just that specific CSP-Directive for the
Unrecognized source-expression 'wasm-unsafe-eval'? If I set the alertFilter Id = 10055 that will mark the other 11 CSP alerts to false positives. It also appears the setting the alertFilter Id=10055-3 does not work because the filter is expecting an int for the Id field. The other alertFilter parameters don't target the "More Info" field so I don't see a way to detect this particular alert without affecting the other CSP checks.
--
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/vAxgUu7xboQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/61a7740d-f636-4a27-aac0-81db1916d621n%40googlegroups.com.
kingthorin+zap
Oct 17, 2023, 1:11:29 PM10/17/23
to ZAP User Group
There is an open issue and progress being made on extending alert filters to accept alert IDs (the values with hyphens). However there is no ETA for that work.
It would definitely be a good move to upvote (👍) the issue. https://github.com/zaproxy/zaproxy/issues/7438
Reply all
Reply to author
Forward
0 new messages