WebSockets add-on: filter payload pattern only applies to *visible* part of payload (150 chars)

[ge0rg]

Describe the bug

The filter in the WebSockets tab allows filtering for a Payload pattern. This pattern is only matched on the visible first 150 characters of the payload and not on the whole text.

Example from the WebSockets tab:

Actual payload displayed in the Request tab:

[2, "102999735", "StatusNotification", {"connectorId": 1, "status": "Preparing", "errorCode": "NoError", "info": "Status Update -Type2-", "timestamp": "2022-04-01T13:40:31Z"}]

It is possible to see the packet with a Payload filter set to "timestamp" or "timestamp":, as seen here:

But if the filter is set to "timestamp": (trailing space), then the packet isn't listed any more.

This corresponds exactly to the 150 character limit enforced in WebSocketMessagesViewModel, however the preview is adding a "..." which is not seen in the actual UI, so this is probably a red herring. I haven't found another place adding a 150 character limit yet.

Steps to reproduce the behavior

1. Install the WebSockets add-on
2. Use the Local Proxy to intercept a websocket communication that has messages with >150 character length
3. go to the WebSockets tab
4. Tap the filter icon
5. Enter a Payload Pattern string that starts or ends beyond the first 150 characters of a given message
6. press Apply

Expected behavior

The filter should be applied to the whole payload, so that it would be possible to search for strings even in large websocket messages

Software versions

Found Java version 12
Available memory: 63741 MB
Using JVM args: -Xmx15935m
Ignoring legacy log4j.properties file, backup already exists.
OWASP ZAP
Version: 2.11.1
Installed Add-ons: [[id=alertFilters, version=13.0.0], [id=ascanrules, version=46.0.0], [id=automation, version=0.13.0], [id=bruteforce, version=11.0.0], [id=callhome, version=0.3.0], [id=commonlib, version=1.9.0], [id=custompayloads, version=0.11.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.1.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.6.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.8.0], [id=help, version=14.0.0], [id=hud, version=0.13.0], [id=importurls, version=9.0.0], [id=invoke, version=11.0.0], [id=jsonview, version=2.0.0], [id=network, version=0.1.0], [id=oast, version=0.10.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=27.0.0], [id=pscanrules, version=39.0.0], [id=quickstart, version=33.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.12.0], [id=retest, version=0.2.0], [id=retire, version=0.10.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=30.0.0], [id=selenium, version=15.8.0], [id=soap, version=13.0.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=webdriverlinux, version=36.0.0], [id=websocket, version=25.0.0], [id=zest, version=35.0.0]]
Operating System: Linux
Java Version: Debian 12
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_GB
ZAP Home Directory: /home/user/.ZAP/
ZAP Installation Directory: /opt/ZAP_2.11.1/./
Look and Feel: Metal (javax.swing.plaf.metal.MetalLookAndFeel)

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

• Yes

[thc202]

Yes, the problem is that it's using the preview length when checking the payload.