-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VariantURLQuery throwing exceptions on active scan #1848
Comments
Does the scan carry on anyway? |
yes scan is carry on. But dose it skip some scans ? |
Yes, some query parameters are not tested because of the exception(s). |
Would you mind if the issue is reopened? The issue was not yet fixed and closing it might give that impression. |
Parse form/query parameters in encoded form, so they are correctly split into name/value pairs even if the names and/or values have separator characters (normally, '&' and '='), also allow to keep all parameters, so requests that require multiple values with same name (e.g. arrays) are still sent with all of them (instead of just one). When rebuilding the query component of the URL, during active scan, make sure to also encode parameters' names not just its values, otherwise the query could be malformed if the names contain characters that should be encoded (common when dealing with multiple vales which might use the characters '[' and ']'), leading to exceptions and failing to properly attack those parameters. (The same logic applies for form parameters.) More detailed changes: - Variant, document the method getParamList(); - VariantAbstractQuery: - Add method, getEscapedName(HttpMessage, String), to encode/escape parameter's name; - Add method, setParameters(int, List<NameValuePair>), to allow extending classes to set (and finally send) all parameters even if they have the same name; - Deprecate the method setParams(int, Map<String, String>) in favour of the new method. - VariantFormQuery and VarianURLQuery, change to obtain all the parameters using a new method in Session class and to set all of them using the new method of the class VariantAbstractQuery; - Session: - Add method, getParameters(HttpMessage, HtmlParameter.Type), that allows to obtain (all) URL or form parameters from a message; - Change method getUrlParams(URI) to parse the query in escaped form (and use the new method added to ParameterParser, which decodes the parameters names and values when parsing, as expected by callers); - Add interface NameValuePair and default implementation, class DefaultNameValuePair; - ParameterParser, add methods getParameters(...) and parseParameters(String) which return List<NameValuePair>; - StandardParameterParser: - Add implementations of the methods added to the interface ParameterParser; - Change method getParams, getTreePath and getAncestorPath to use parseParameters(String) when parsing the (now escaped) query, so the parameters are correctly separated (and decoded). Fix zaproxy#1801 - URL StandardParameterParser not working correctly with QueryString Fix zaproxy#1848 - VariantURLQuery throwing exceptions on active scan Fix zaproxy#2153 - 2.4.3 failed parse the POST Data containts bracket([])
Parse form/query parameters in encoded form, so they are correctly split into name/value pairs even if the names and/or values have separator characters (normally, '&' and '='), also allow to keep all parameters, so requests that require multiple values with same name (e.g. arrays) are still sent with all of them (instead of just one). When rebuilding the query component of the URL, during active scan, make sure to also encode parameters' names not just its values, otherwise the query could be malformed if the names contain characters that should be encoded (common when dealing with multiple vales which might use the characters '[' and ']'), leading to exceptions and failing to properly attack those parameters. (The same logic applies for form parameters.) More detailed changes: - Variant, document the method getParamList(); - VariantAbstractQuery: - Add method, getEscapedName(HttpMessage, String), to encode/escape parameter's name; - Add method, setParameters(int, List<NameValuePair>), to allow extending classes to set (and finally send) all parameters even if they have the same name; - Deprecate the method setParams(int, Map<String, String>) in favour of the new method. - VariantFormQuery and VarianURLQuery, change to obtain all the parameters using a new method in Session class and to set all of them using the new method of the class VariantAbstractQuery; - Session: - Add method, getParameters(HttpMessage, HtmlParameter.Type), that allows to obtain (all) URL or form parameters from a message; - Change method getUrlParams(URI) to parse the query in escaped form (and use the new method added to ParameterParser, which decodes the parameters names and values when parsing, as expected by callers); - Add interface NameValuePair and default implementation, class DefaultNameValuePair; - ParameterParser, add methods getParameters(...) and parseParameters(String) which return List<NameValuePair>; - StandardParameterParser: - Add implementations of the methods added to the interface ParameterParser; - Change method getParams, getTreePath and getAncestorPath to use parseParameters(String) when parsing the (now escaped) query, so the parameters are correctly separated (and decoded). Fix zaproxy#1801 - URL StandardParameterParser not working correctly with QueryString Fix zaproxy#1848 - VariantURLQuery throwing exceptions on active scan Fix zaproxy#2153 - 2.4.3 failed parse the POST Data containts bracket([])
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
When scanning this error occurs.
Error like this occurs for different scan rules
769590 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascanrules.TestServerSideInclude - Error occurred while scanning with variant org.parosproxy.paros.core.scanner.VariantURLQuery
java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "{p"
at java.net.URLDecoder.decode(URLDecoder.java:192)
at org.parosproxy.paros.core.scanner.AbstractPlugin.getURLDecode(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantURLQuery.getUnescapedValue(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantAbstractQuery.setParams(Unknown Source)
at org.parosproxy.paros.core.scanner.VariantURLQuery.setMessage(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
The text was updated successfully, but these errors were encountered: