Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ascanrules: SQLi: add checking for redirection after form input #3284

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ascanrules: SQLi: add checking for redirection after form input #3284

wants to merge 1 commit into from

Conversation

koneko096
Copy link

@koneko096 koneko096 commented Oct 29, 2021
edited
Loading

In case of redirection after form input, the body may be empty and content comparison won't work. By adding new checking for location header, we may catch potential vulnerability after boolean or arithmetic expression.

Fixes: #6883

@thc202
Copy link
Member

thc202 commented Oct 29, 2021

ideally the changes should be accompanied with a test(s) that verifies them.

IMO it would be better apply the header check to all injections not just OR, this also applies to any redirection (likely in any form) not just logins.

@kingthorin
Copy link
Member

@koneko096 are you going to address the earlier feedback?

@koneko096
Copy link
Author

Sure @kingthorin, will continue again this week

@kingthorin
Copy link
Member

@koneko096 do you plan to finish this?

@koneko096 koneko096 changed the title ascanrules: SQLi: add checking for redirection after login ascanrules: SQLi: add checking for redirection after form input Apr 16, 2022
@koneko096 koneko096 force-pushed the sqli-by-redirection branch 2 times, most recently from cc93987 to 81877de Compare April 16, 2022 22:55
@koneko096
Copy link
Author

Hi @kingthorin, I had updated following earlier feedbacks. Please help to review. Thank you

@kingthorin kingthorin added the waiting-for:pr-author This PR is currently waiting for input or changes from the original submitter label May 5, 2022
@koneko096 koneko096 force-pushed the sqli-by-redirection branch 2 times, most recently from aedf34a to d2a26e3 Compare May 7, 2022 16:10
kingthorin
kingthorin approved these changes Dec 27, 2022
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven’t tested against anything else but seems okay to me.

@koneko096 koneko096 requested a review from thc202 January 3, 2023 04:58
@kingthorin kingthorin removed the waiting-for:pr-author This PR is currently waiting for input or changes from the original submitter label Mar 22, 2023
@koneko096 koneko096 force-pushed the sqli-by-redirection branch 2 times, most recently from 2b96865 to 5fc820f Compare January 15, 2024 17:21
@koneko096
Add checking for location header
9dc141d 
In case of redirection after authentication, the body may be empty and content comparison won't work. By adding new checking for location header, we may catch potential vulnerability especially in case of OR true injection.

Signed-off-by: koneko096 <laser.survivor@gmail.com>
@koneko096
Copy link
Author

hey guys @kingthorin @thc202 any follow up on this MR?

kingthorin
kingthorin reviewed Apr 9, 2024
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems okay overall to me. It should be rebased to pickup the latest base branch changes.

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java
Comment on lines +1959 to +1960
String confirmExpressionLocationHeader =
msg.getResponseHeader().getHeader(HttpHeader.LOCATION);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could extract a convenience method for this accepting HttpMessage and returning String.

Then leverage it throughout.

...anrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRuleUnitTest.java
Comment on lines +248 to +254
protected Response getResponse(String value) {
Response response =
newFixedLengthResponse(
Response.Status.REDIRECT, NanoHTTPD.MIME_HTML, "");
response.addHeader("Location", "http://somewhere");
return response;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could extract to a convenience method to avoid duplication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kingthorin kingthorin kingthorin approved these changes

@thc202 thc202 Awaiting requested review from thc202

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
3 participants
@koneko096 @thc202 @kingthorin