OAST should cache a copy of the registered HTTP message #7027
Comments
denniskniep
changed the title
denniskniep
changed the title
|
It would be better described as "OAST should cache a copy of the registered HTTP message" (or something along those lines) which is actually the problem, the current title is a side effect. |
denniskniep
changed the title
|
The message that is added to the alerts is actually the one received by the OAST service and forwarded to ZAP, right? We would not want to change those. Also, the poll request is not shown in the History tab so I think in that case a warning should be sufficient. |
|
No, the alert has the message crafted by the scan rule which is about to be sent, e.g.: https://github.com/zaproxy/zap-extensions/blob/13364a19d5f9d9d51b60a78a37329498a9b070e2/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/OutOfBandXssScanRule.java#L167-L175 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
After solving that issue: #7004
There will be no "ZAP IO Error" with the exception visible in the response in specific ActiveScan with OAST AddOn cases:
OAST create HistRef on incoming pingback. The catch of the
sendmight happen later (e.g. OAST poll is 10 sec and 15 sec read timeout). In the catch block the exception is set to the HttpMessage response which is too late, because its already saved.The text was updated successfully, but these errors were encountered: