-
-
Notifications
You must be signed in to change notification settings - Fork 688
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pscanrulesAlpha: Add scan rule for Same Origin Method Execution (SOME) #4924
base: main
Are you sure you want to change the base?
Conversation
Hey team, this is still a work in progress I had a couple queries before I can continue my work.
Let me know what I can do in this situation so that I can continue building this aweSOME rule. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be added to help, and changelog. Unit tests should be created as well.
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
I will be adding the test cases after completing the scan rule, I have updated the help and changelog. Also, please let me know what should I do here. |
@kingthorin any more changes needed? if not I'll start with the tests :) |
...c/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html
Outdated
Show resolved
Hide resolved
...c/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html
Outdated
Show resolved
Hide resolved
Hi devs, I have made the necessary changes let me know if this is good and I will start working on the tests 😄 Also, what should we do about this? |
@kingthorin I have made all the necessary changes for the scanner rule, please let me know if it requires any more changes, if not then I will start working on the tests. 😄 |
I don't see anything outstanding other than tests. Either way further tweaks shouldn't be a major blocker. |
Signed-off-by: karthikuj <[email protected]>
Signed-off-by: karthikuj <[email protected]>
Signed-off-by: karthikuj <[email protected]>
Done ✅ Please review and let me know if any changes are needed. |
@kingthorin ping :) |
...n/javahelp/org/zaproxy/zap/extension/pscanrulesAlpha/resources/help/contents/pscanalpha.html
Outdated
Show resolved
Hide resolved
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: karthikuj <[email protected]>
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: karthikuj <[email protected]>
...a/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: karthikuj <[email protected]>
Signed-off-by: karthikuj <[email protected]>
Thank you @kingthorin |
Overview
This PR adds a passive scanner rule for Same Origin Method Execution (SOME). It is based on Ben Hayak's research, LinkedIn security team's burp add-on (sometime) and some new checks by me to make it better.
Related Issues
Fixes: zaproxy/zaproxy#7125
Checklist
./gradlew spotlessApply
for code formattingFor more details, please refer to the developer rules and guidelines.