Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not add zero Content-Length by default in GET requests #6691

Closed
Sravan-Apps opened this issue Jul 16, 2021 · 1 comment · Fixed by #6692
Closed

Do not add zero Content-Length by default in GET requests #6691

Sravan-Apps opened this issue Jul 16, 2021 · 1 comment · Fixed by #6692
Labels
bug
Milestone
2.11.0

Comments

@Sravan-Apps
Copy link
Contributor

Describe the bug
ZAP Automated scan (Spider and Active Scan) sends Request header Content-Length: 0 in case of GET requests. This can trigger some servers or WAF's and block the ZAP scan.

To Reproduce
Steps to reproduce the behavior:

  1. Start zap using java -jar zap-2.10.0.jar
  2. Use netcat to listen on tcp port 7777 nc -4lkp 7777 from a terminal
  3. Now in ZAP Click on Automated scan icon. In Url to Attack enter http://127.0.0.1:7777 and click Attack button.
  4. Go to terminal window where netcat is listening and see the request sent from ZAP.

Expected behavior
Content-Length: 0 Header will not be added for GET requests.

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Pragma: no-cache
Cache-Control: no-cache
Host: 127.0.0.1:7777

Per RFC we should not add Content-Length header for GET,HEAD,TRACE methods. https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.2

A user agent SHOULD NOT send a Content-Length header field when the request message does not contain
a payload body and the method semantics do not anticipate such a body.

Content-Length is valid only for POST,PUT, PATCH, DELETE methods.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods

Screenshots

$ nc -4lkp 7777
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Host: 127.0.0.1:7777

Software versions

  • ZAP: 2.10.0
  • Add-on: quickstart and spider
  • OS: Debian 10
  • Java: openjdk 11.0.11
  • Browser: NA

Errors from the zap.log file
NA

Additional context
After looking at code I found that this is happening due to code here.

From git history I found that the code is there since v1.2.0 and this was probably carried over from Paros.

This change will be similar to #4593

Would you like to help fix this issue?
Yes.. I made a patch, will submit a PR.
@Sravan-Apps Sravan-Apps changed the title Spider and other addons set Request Header Content-length:0 in GET requests Prevent Spider and other addons setting Request Header Content-length:0 in GET requests Jul 16, 2021
@Sravan-Apps Sravan-Apps mentioned this issue Jul 16, 2021
Merged
@thc202 thc202 changed the title Prevent Spider and other addons setting Request Header Content-length:0 in GET requests Do not add Content-length:0 by default in GET requests Jul 16, 2021
@thc202 thc202 added this to the 2.11.0 milestone Jul 16, 2021
@thc202 thc202 changed the title Do not add Content-length:0 by default in GET requests Do not add zero Content-Length by default in GET requests Jul 16, 2021
@thc202 thc202 linked a pull request Jul 23, 2021 that will close this issue
Avoid setting Request Header Content-length:0 in GET requests #6692
Merged
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Oct 22, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Milestone
2.11.0
Development

Successfully merging a pull request may close this issue.

Avoid setting Request Header Content-length:0 in GET requests Sravan-Apps/zaproxy
2 participants
@Sravan-Apps @thc202