Merge remote-tracking branch 'upstream/main' into feature/java_disclo…

…sure

# Conflicts:
#	CHANGELOG.md

.github/workflows/ci.yml

@@ -14,8 +14,8 @@ jobs:
         java: [11]
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}

.github/workflows/codeql.yml

@@ -23,11 +23,11 @@ jobs:
         language: [ 'java', 'javascript', 'python', 'ruby' ]
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: github/codeql-action/init@v2
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/autobuild@v2
-      - uses: github/codeql-action/analyze@v2
+      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/crowdin-upload-files.yml

@@ -8,9 +8,9 @@ jobs:
     name: Upload Files
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup Java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
         java-version: 11

.github/workflows/prepare-release-add-on.yml

@@ -8,12 +8,12 @@ jobs:
     name: Prepare Release
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
         persist-credentials: false
     - name: Setup Java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
         java-version: 11

.github/workflows/release-add-on.yml

@@ -12,12 +12,12 @@ jobs:
     name: Build and Release Add-On
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
         persist-credentials: false
     - name: Setup Java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
         java-version: 11

CHANGELOG.md

@@ -4,13 +4,19 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
+### Added
+- passive/JavaDisclosure.js - Passive scan for Java error messages leaks
+
+## [18] - 2024-01-29
+### Added
+- httpsender/RsaSigningForZap.py - A script that signs requests using RSA
+
 ### Changed
-- Update minimum ZAP version to 2.13.0.
+- Update minimum ZAP version to 2.14.0.
 - Remove checks for CFU initiator in HTTP Sender scripts and docs, no longer needed.
 - Rename AWS signing script.
 - Update descriptions/comments in scripts.
-### Added
-- passive/JavaDisclosure.js - Passive scan for Java error messages
+- standalone/Open Fortune 500 websites in a browser.zst - Fix typo in `http://www,pbfenergy.com`
 
 ## [17] - 2023-06-28
 ### Added
@@ -206,7 +212,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 - First packaged version
 
-[Unreleased]: https://github.com/zaproxy/community-scripts/compare/v17...HEAD
+[Unreleased]: https://github.com/zaproxy/community-scripts/compare/v18...HEAD
+[18]: https://github.com/zaproxy/community-scripts/compare/v17...v18
 [17]: https://github.com/zaproxy/community-scripts/compare/v16...v17
 [16]: https://github.com/zaproxy/community-scripts/compare/v15...v16
 [15]: https://github.com/zaproxy/community-scripts/compare/v14...v15

build.gradle.kts

@@ -7,13 +7,10 @@ import org.zaproxy.gradle.addon.misc.ConvertMarkdownToHtml
 
 plugins {
     `java-library`
-    id("org.zaproxy.add-on") version "0.9.0"
+    id("org.zaproxy.add-on") version "0.10.0"
     id("org.zaproxy.crowdin") version "0.3.1"
-    id("com.diffplug.spotless") version "6.20.0"
-}
-
-repositories {
-    mavenCentral()
+    id("com.diffplug.spotless")
+    id("org.zaproxy.common")
 }
 
 description = "Useful ZAP scripts written by the ZAP community."
@@ -23,7 +20,7 @@ val scriptsDir = layout.buildDirectory.dir("scripts")
 zapAddOn {
     addOnId.set("communityScripts")
     addOnName.set("Community Scripts")
-    zapVersion.set("2.13.0")
+    zapVersion.set("2.14.0")
     addOnStatus.set(AddOnStatus.ALPHA)
 
     releaseLink.set("https://github.com/zaproxy/community-scripts/compare/v@PREVIOUS_VERSION@...v@CURRENT_VERSION@")
@@ -64,11 +61,6 @@ dependencies {
     testImplementation("org.python:jython-standalone:2.7.2")
 }
 
-tasks.withType<JavaCompile>().configureEach {
-    options.encoding = "UTF-8"
-    options.compilerArgs = listOf("-Xlint:all", "-Xlint:-options", "-Werror")
-}
-
 tasks.withType<Test>().configureEach {
     useJUnitPlatform()
 }
@@ -117,12 +109,6 @@ java {
 sourceSets["main"].output.dir(mapOf("builtBy" to syncScriptsDirTask), scriptsDir)
 
 spotless {
-    java {
-        licenseHeaderFile("$rootDir/gradle/spotless/license.java")
-
-        googleJavaFormat("1.17.0").aosp()
-    }
-
     kotlinGradle {
         ktlint()
     }

gradle.properties

@@ -1,2 +1,2 @@
-version=18
+version=19
 release=false

gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=7c3ad722e9b0ce8205b91560fd6ce8296ac3eadf065672242fd73c06b8eeb6ee
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-all.zip
+distributionSha256Sum=c16d517b50dd28b3f5838f0e844b7520b8f1eb610f2f29de7e4e04a1b7c9c79b
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-all.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradlew

@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -144,15 +145,15 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
         # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
         # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -201,11 +202,11 @@ fi
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
-# Collect all arguments for the java command;
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
-#     shell script including quotes and variable substitutions, so put them in
-#     double quotes to make sure that they get re-expanded; and
-#   * put everything else in single quotes, so that it's not re-expanded.
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \

httpsender/RsaSigningForZap.py

@@ -0,0 +1,59 @@
+# RSA Signing Script for Zed Attack Proxy - ZAP
+# HelpAddOn Script - HTTPSender
+# Michal Walkowski - https://mwalkowski.github.io/
+# https://github.com/mwalkowski
+#
+# Tested with Jython 14 beta and ZAP 2.14.0
+# For RSA Signing Process: https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html#name-rsassa-pkcs1-v1_5-using-sha
+# Based On: https://mwalkowski.github.io/post/using-burp-python-scripts-to-sign-requests-with-rsa-keys/
+
+import urlparse
+import uuid
+import datetime
+import base64
+import subprocess
+
+# path to private.key
+PRIVATE_KEY = "private.key"
+SIGNATURE_HEADER = 'X-Signature'
+NONCE_HEADER = 'X-Nonce-Value'
+NONCE_CREATED_AT_HEADER = 'X-Nonce-Created-At'
+
+
+def sign(signature_input):
+    print('signature_input', signature_input)
+    signature_input_b64 = base64.standard_b64encode(signature_input.encode()).decode()
+    print('signature_input_b64', signature_input_b64)
+
+    cmd = """printf %s "{}" | openssl dgst -sha256 -sign {}| openssl base64""".format(signature_input_b64, PRIVATE_KEY)
+    print(cmd)
+    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+
+    output, err = process.communicate()
+    if err.decode() != "":
+        raise Exception(err)
+
+    return output.decode().replace("\n", "")
+
+def sendingRequest(msg, initiator, helper):
+    method = msg.getRequestHeader().getMethod() 
+    path = urlparse.urlparse(msg.getRequestHeader().getURI().toString()).path
+    body = msg.getRequestBody().toString()
+    print(msg.getRequestBody().toString())
+
+    nonce_value = str(uuid.uuid4())
+    nonce_created_at = '{}+00:00'.format(datetime.datetime.utcnow().isoformat())
+    signature = sign("{}{}{}{}{}".format(method, path, nonce_value, nonce_created_at, body))
+
+    print('Adding new {}: {}'.format(SIGNATURE_HEADER, signature))
+    msg.getRequestHeader().setHeader(SIGNATURE_HEADER, signature)
+
+    print('Adding new {}: {}'.format(NONCE_HEADER, nonce_value))
+    msg.getRequestHeader().setHeader(NONCE_HEADER, nonce_value)
+
+    print('Adding new {}: {}'.format(NONCE_CREATED_AT_HEADER, nonce_created_at))
+    msg.getRequestHeader().setHeader(NONCE_CREATED_AT_HEADER, nonce_created_at)
+
+
+def responseReceived(msg, initiator, helper):
+    pass

other/CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+All notable changes to the 'other' section of this repository will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+### 2024-02-06
+- Added af-plans/FullScanBrokenCrystals.yaml
+- Added af-plans/ScriptEnvVarAccess.yaml
+
+### 2024-01-16
+- Introduced this changelog
+- Added af-plans/FullScanExample.yaml
+- Updated af-plans/BaselineExample.yaml to use envvar and only run AJAX Spider if modern.

other/af-plans/BaselineExample.yaml

@@ -1,26 +1,15 @@
 ---
-# A simple plan that performs a baseline scan against example.com
-# It uses both of the spiders and just passive scanning.
+# A simple plan that performs a baseline scan against a URL in the ZAP_TARGET env var.
+# It uses the standard spider but only runs the AJAX spider if the app appears to be modern.
 # The 2 spider tests will fail as they do not find at least 100 URLs, 
 # but they do not fail the whole plan as they just report at INFO level.
 env:
   contexts:
   - name: "Example"
     urls:
-    - "https://www.example.com/"
+    - "${ZAP_TARGET}"
     includePaths: []
     excludePaths: []
-    authentication:
-      parameters: {}
-      verification:
-        method: "response"
-        pollFrequency: 60
-        pollUnits: "requests"
-    sessionManagement:
-      method: "cookie"
-      parameters: {}
-    technology:
-      exclude: []
   parameters:
     failOnError: true
     failOnWarning: false
@@ -44,10 +33,12 @@ jobs:
     value: 100
     type: "stats"
     name: "At least 100 URLs found"
+- parameters: {}
+  name: "passiveScan-wait-pre-ajax"
+  type: "passiveScan-wait"
 - parameters:
-    maxDuration: 60
-    maxCrawlDepth: 10
-    numberOfBrowsers: 1
+    maxDuration: 3
+    runOnlyIfModern: true
   name: "spiderAjax"
   type: "spiderAjax"
   tests:
@@ -59,12 +50,11 @@ jobs:
     type: "stats"
     name: "At least 100 URLs found"
 - parameters: {}
-  name: "passiveScan-wait"
+  name: "passiveScan-wait-pre-report"
   type: "passiveScan-wait"
 - parameters:
-    template: "risk-confidence-html"
+    template: "modern"
     reportTitle: "ZAP Scanning Report"
     reportDescription: ""
   name: "report"
   type: "report"
-