Firing Range: Improve Escaped XSS results #7122
Labels
Comments
This was referenced Mar 17, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We run ZAP against Google Firing Range (FR) using a scheduled task and publish the results on https://www.zaproxy.org/docs/scans/firingrange/
This is a tracker issue which covers improving the ZAP results against the 'Escaped XSS' section of FR.
It is important to note that the priority here is to improve the ZAP scan results against real work apps so any improvements should be generic rather than tailored for FR.
PRs do not have to fix all of the false negatives - a change which just finds one new XSS in that section would be appreciated.
For more information about improving scan rules see https://www.zaproxy.org/docs/contribute/scan-rules/
In this case the relevant scan rule is linked to from each test.
As always all PRs should include full unit tests.
It is possible that some of the FR tests are no longer valid due to browser security improvements. If you believe this to be the case then please let us know and we will do our best to confirm that.
As this is a tracker it will not be assigned to any one individual.
The following failing test cases have been assigned:
The following URLs are confirmed to be unexploitable on modern browsers:
The following URLs are believed to be unexploitable on modern browsers - if you disagree then please get in touch!
The text was updated successfully, but these errors were encountered: