pscanrulesAlpha: Add scan rule for Same Origin Method Execution (SOME) #4924
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hey team, this is still a work in progress I had a couple queries before I can continue my work.
Let me know what I can do in this situation so that I can continue building this aweSOME rule. |
kingthorin
reviewed
Sep 24, 2023
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
...es/src/main/java/org/zaproxy/zap/extension/pscanrules/SameOriginMethodExecutionScanRule.java
Outdated
Show resolved
Hide resolved
I will be adding the test cases after completing the scan rule, I have updated the help and changelog. Also, please let me know what should I do here. |
|
@kingthorin any more changes needed? if not I'll start with the tests :) |
kingthorin
reviewed
Oct 10, 2023
...c/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html
Outdated
Show resolved
Hide resolved
...c/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html
Outdated
Show resolved
Hide resolved
|
Hi devs, I have made the necessary changes let me know if this is good and I will start working on the tests 😄 Also, what should we do about this?
|
thc202
changed the title
|
@kingthorin I have made all the necessary changes for the scanner rule, please let me know if it requires any more changes, if not then I will start working on the tests. 😄 |
|
I don't see anything outstanding other than tests. Either way further tweaks shouldn't be a major blocker. |
karthikuj
changed the title
Signed-off-by: karthikuj <karthikuj2001@gmail.com>
Signed-off-by: karthikuj <karthikuj2001@gmail.com>
Signed-off-by: karthikuj <karthikuj2001@gmail.com>
Done ✅ Please review and let me know if any changes are needed. |
|
@kingthorin ping :) |
kingthorin
reviewed
Nov 28, 2023
...n/javahelp/org/zaproxy/zap/extension/pscanrulesAlpha/resources/help/contents/pscanalpha.html
Outdated
Show resolved
Hide resolved
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: karthikuj <karthikuj2001@gmail.com>
kingthorin
reviewed
Nov 29, 2023
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: karthikuj <karthikuj2001@gmail.com>
kingthorin
reviewed
Nov 29, 2023
...a/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
...st/java/org/zaproxy/zap/extension/pscanrulesAlpha/SameOriginMethodExecutionScanRuleTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: karthikuj <karthikuj2001@gmail.com>
Signed-off-by: karthikuj <karthikuj2001@gmail.com>
kingthorin
approved these changes
Nov 29, 2023
|
Thank you @kingthorin Another approval needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds a passive scanner rule for Same Origin Method Execution (SOME). It is based on Ben Hayak's research, LinkedIn security team's burp add-on (sometime) and some new checks by me to make it better.
Related Issues
Fixes: zaproxy/zaproxy#7125
Checklist
./gradlew spotlessApplyfor code formattingFor more details, please refer to the developer rules and guidelines.