diff --git a/CHANGELOG.md b/CHANGELOG.md index b41177c5..680fee6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,12 +14,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Update minimum ZAP version to 2.16.0 and compile with Java 17. - Add cautionary note to help and readme. - Maintenance and documentation changes. +- Active and passive READMEs to include lastest JS script examples. ### Fixed - The following scripts were not being loaded as scan rules: - active/SSTI.js - passive/Mutliple Security Header Check.js +### Removed +- Links to videos which no longer exist. + ## [19] - 2024-07-01 ### Added - extender/arpSyndicateSubdomainDiscovery.js - uses the API of [ARPSyndicate's Subdomain Center](https://www.subdomain.center/) diff --git a/README.md b/README.md index 31a48b23..da9eac30 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,4 @@ in the main directory of the project, the add-on will be placed in the directory ## Official Videos -* [ZAP In Ten: Introduction to Scripting](https://play.sonatype.com/watch/7gR4qYzUZ686wEDMBfxGdf) (9:33) * [ZAP Deep Dive: Scripting ZAP](https://www.youtube.com/watch?v=ujL6rH6nVXI) (28:34) - -Note that there are videos for some of the specific script types linked from the relevant READMEs. diff --git a/active/README.md b/active/README.md index 0fb9a7f2..d0fd5825 100644 --- a/active/README.md +++ b/active/README.md @@ -9,18 +9,47 @@ These detect potential vulnerabilities by actively attacking the target, run as // Note that new active scripts will initially be disabled // Right click the script in the Scripts tree and select "enable" +const ScanRuleMetadata = Java.type("org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"); + +function getMetadata() { + return ScanRuleMetadata.fromYaml(` +id: 12345 +name: Active Vulnerability Title +description: Full description +solution: The solution +references: + - https://www.example.org/reference1 + - https://www.example.org/reference2 +category: INJECTION # info_gather, browser, server, misc, injection +risk: INFO # info, low, medium, high +confidence: LOW # false_positive, low, medium, high, user_confirmed +cweId: 0 +wascId: 0 +alertTags: + name1: value1 + name2: value2 +otherInfo: Any other Info +status: alpha +alertRefOverrides: + 12345-1: {} + 12345-2: + name: Active Vulnerability - Type XYZ + description: Overridden description +`); +} + /** * Scans a "node", i.e. an individual entry in the Sites Tree. * The scanNode function will typically be called once for every page. * * @param as - the ActiveScan parent object that will do all the core interface tasks * (i.e.: sending and receiving messages, providing access to Strength and Threshold settings, - * raising alerts, etc.). This is an ScriptsActiveScanner object. + * raising alerts, etc.). This is an ActiveScriptHelper object. * @param msg - the HTTP Message being scanned. This is an HttpMessage object. */ function scanNode(as, msg) { - // Debugging can be done using println like this - print('scan called for url=' + msg.getRequestHeader().getURI().toString()); + // Debugging can be done using print like this + print('scanNode called for url=' + msg.getRequestHeader().getURI().toString()); // Copy requests before reusing them msg = msg.cloneRequest(); @@ -49,19 +78,33 @@ function scanNode(as, msg) { } } +/** + * Scans a host. + * The scanHost function will be called once per host being scanned. + * @param as - the ActiveScan parent object that will do all the core interface tasks + * (i.e.: sending and receiving messages, providing access to Strength and Threshold settings, + * raising alerts, etc.). This is an ActiveScriptHelper object. + * @param msg - the HTTP Message being scanned. This is an HttpMessage object. + */ +function scanHost(as, msg) { + // Debugging can be done using print like this + const uri = msg.getRequestHeader().getURI(); + print(`scanHost called for host=${uri.getHost()}` + (uri.getPort() !== -1 ? `:${uri.getPort()}` : "")); +} + /** * Scans a specific parameter in an HTTP message. * The scan function will typically be called for every parameter in every URL and Form for every page. * * @param as - the ActiveScan parent object that will do all the core interface tasks * (i.e.: sending and receiving messages, providing access to Strength and Threshold settings, - * raising alerts, etc.). This is an ScriptsActiveScanner object. + * raising alerts, etc.). This is an ActiveScriptHelper object. * @param msg - the HTTP Message being scanned. This is an HttpMessage object. * @param {string} param - the name of the parameter being manipulated for this test/scan. * @param {string} value - the original parameter value. */ function scan(as, msg, param, value) { - // Debugging can be done using println like this + // Debugging can be done using print like this print('scan called for url=' + msg.getRequestHeader().getURI().toString() + ' param=' + param + ' value=' + value); @@ -76,21 +119,11 @@ function scan(as, msg, param, value) { // Test the response here, and make other requests as required if (true) { // Change to a test which detects the vulnerability - // risk: 0: info, 1: low, 2: medium, 3: high - // confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed - as.newAlert() - .setRisk(1) - .setConfidence(1) - .setName('Active Vulnerability title') - .setDescription('Full description') + // Call newAlert() if you're not using alertRefOverrides + as.newAlert("12345-1") .setParam(param) .setAttack('Your attack') .setEvidence('Evidence') - .setOtherInfo('Any other info') - .setSolution('The solution') - .setReference('References') - .setCweId(0) - .setWascId(0) .setMessage(msg) .raise(); } @@ -111,8 +144,3 @@ function scan(as, msg, param, value) { * Jruby : [Active default template.rb](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jruby/src/main/zapHomeFiles/scripts/templates/active/Active%20default%20template.rb) * Jython : [Active default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/active/Active%20default%20template.py) * Zest : [Active default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/active/Active%20default%20template.zst) - - -## Official Videos - -[ZAP In Ten: Active Scan Scripts](https://play.sonatype.com/watch/aEwqErXFMTYdDDQbTgnJeA) (11:38) diff --git a/httpsender/README.md b/httpsender/README.md index a342b7cd..bd3e11c2 100644 --- a/httpsender/README.md +++ b/httpsender/README.md @@ -52,6 +52,3 @@ function responseReceived(msg, initiator, helper) { * Jython : [HttpSender default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/httpsender/HttpSender%20default%20template.py) * Zest : [HttpSender default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/httpsender/HttpSender%20default%20template.zst) -## Official Videos - -[ZAP In Ten: Proxy and HttpSender Scripts](https://play.sonatype.com/watch/4no8EY1iB8RdnQLPFpYi2a) (10:14) diff --git a/passive/README.md b/passive/README.md index 24a4ec92..f1ae7fc2 100644 --- a/passive/README.md +++ b/passive/README.md @@ -11,7 +11,35 @@ These detect potential vulnerabilities by passively analysing traffic to and fro // Note that new passive scripts will initially be disabled // Right click the script in the Scripts tree and select "enable" -var PluginPassiveScanner = Java.type("org.zaproxy.zap.extension.pscan.PluginPassiveScanner"); +const PluginPassiveScanner = Java.type("org.zaproxy.zap.extension.pscan.PluginPassiveScanner"); +const ScanRuleMetadata = Java.type("org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"); + +function getMetadata() { + return ScanRuleMetadata.fromYaml(` +id: 12345 +name: Passive Vulnerability Title +description: Full description +solution: The solution +references: + - https://www.example.org/reference1 + - https://www.example.org/reference2 +risk: INFO # info, low, medium, high +confidence: LOW # false_positive, low, medium, high, user_confirmed +cweId: 0 +wascId: 0 +alertTags: + name1: value1 + name2: value2 +otherInfo: Any other info +status: alpha +alertRefOverrides: + 12345-1: {} + 12345-2: + name: Passive Vulnerability - Type XYZ + description: Overridden description +`); +} + /** * Passively scans an HTTP message. The scan function will be called for @@ -20,7 +48,7 @@ var PluginPassiveScanner = Java.type("org.zaproxy.zap.extension.pscan.PluginPass * * @param ps - the PassiveScan parent object that will do all the core interface tasks * (i.e.: providing access to Threshold settings, raising alerts, etc.). - * This is an ScriptsPassiveScanner object. + * This is a PassiveScriptHelper object. * @param msg - the HTTP Message being scanned. This is an HttpMessage object. * @param src - the Jericho Source representation of the message being scanned. */ @@ -29,22 +57,14 @@ function scan(ps, msg, src) { if (true) { // Change to a test which detects the vulnerability // risk: 0: info, 1: low, 2: medium, 3: high // confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed - ps.newAlert() - .setRisk(1) - .setConfidence(1) - .setName('Passive Vulnerability title') - .setDescription('Full description') + // Call newAlert() if you're not using alertRefOverrides + ps.newAlert("12345-1") .setParam('The param') .setEvidence('Evidence') - .setOtherInfo('Any other info') - .setSolution('The solution') - .setReference('References') - .setCweId(0) - .setWascId(0) .raise(); - //addTag(String tag) - ps.addTag('tag') + //addHistoryTag(String tag) + ps.addHistoryTag('tag') } // Raise less reliable alert (that is, prone to false positives) when in LOW alert threshold @@ -84,6 +104,4 @@ function appliesToHistoryType(historyType) { * Jython : [Passive default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/passive/Passive%20default%20template.py) * Zest : [Passive default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/passive/Passive%20default%20template.zst) -## Official Videos -[ZAP In Ten: Passive Scan Scripts](https://play.sonatype.com/watch/HfENJ3GJB3zbD6sMscDrjD) (11:55) diff --git a/proxy/README.md b/proxy/README.md index 2f0b293d..77b2b566 100644 --- a/proxy/README.md +++ b/proxy/README.md @@ -55,8 +55,3 @@ function proxyResponse(msg) { * Jython : [Proxy default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/proxy/Proxy%20default%20template.py) * Zest : [Proxy default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/proxy/Proxy%20default%20template.zst) - -## Official Videos - -[ZAP In Ten: Proxy and HttpSender Scripts](https://play.sonatype.com/watch/4no8EY1iB8RdnQLPFpYi2a) (10:14) - diff --git a/targeted/README.md b/targeted/README.md index 7616ef8e..94fe6c45 100644 --- a/targeted/README.md +++ b/targeted/README.md @@ -30,7 +30,3 @@ function invokeWith(msg) { * Jruby : [Targeted default template.rb](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jruby/src/main/zapHomeFiles/scripts/templates/targeted/Targeted%20default%20template.rb) * Jython : [Targeted default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/targeted/Targeted%20default%20template.py) * Zest : [Targeted default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/targeted/Targeted%20default%20template.zst) - -## Official Videos - -[ZAP In Ten: Targeted Scripts](https://play.sonatype.com/watch/JzX1YkJqdk7BYTMHikh433) (10:01)