Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Describe the bug
I have been testing some test endpoints, where an xml file is returned. These tests get alert "A WSDL File has been detected.". I have been looking through the source code and found that Content-Type ".wsdl", "text/xml" or "application/wsdl+xml will trigger an alert (\zap\extension\soap\WSDLFilePassiveScanRule.java line 60-62). Some of the WSDL files will probably use text/xm
What's the issue?
Overwritten test scenario, can be summarized and link to payload lists from other repos
How do we solve it?
Chop down the content to the required and needed information, link to payload lists instead of enumerating all possible usernames and passwords, provide further guidance on how to test.
If no one is up to handle it, I can take care of it
The component_name and component_version fields were added recently. Some scanners already populate these fields, but lots of them don't. For some scanners these fields cannot be set, i.e. for scanners that try xss on web pages etc. But probably there are some scanners that can/should be updated.
BeanUtils is a library that is doing automatic mapping to Java object.
It can cause arm when the attack controls part of the list of properties being sets. BeanUtils does not blacklist properties like class, classloader or other objects that are likely to load arbitrary classes and possibly run code.
The current swagger definition is autogenerated. The automatically generated definitions rely on reflection and annotations to create the documentation. The reflection capabilities are poor at best and lead to missing API parameters. Annotations can help in some cases, but the only fix for Swagger is to create individual POJOs for every possible request. This will lead to unnecessary large number