Changed ViewState and XFrameOption to return example alerts for the docs

Part of zaproxy/zaproxy#6119

Associated script changes will follow v shortly...

Signed-off-by: Simon Bennetts <[email protected]>

Author: psiinon

addOns/pscanrules/CHANGELOG.md

@@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - The CSP scan rule now checks if the form-action directive allows wildcards.
 - The CSP scan rule now includes further information in the description of allowed wildcard directives alerts when the impacted directive is one (or more) which doesn't fallback to default-src.
 - Maintenance changes.
+- Changed ViewState and XFrameOption rules to return example alerts for the docs
 
 ## [29] - 2020-06-01
 ### Changed

addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java

@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -64,83 +65,104 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
         if (!v.isValid()) return;
 
         if (!v.hasMACtest1() || !v.hasMACtest2())
-            if (!v.hasMACtest1() && !v.hasMACtest2()) alertNoMACforSure(msg, id);
-            else alertNoMACUnsure(msg, id);
+            if (!v.hasMACtest1() && !v.hasMACtest2()) alertNoMACforSure().raise();
+            else alertNoMACUnsure().raise();
 
-        if (!v.isLatestAspNetVersion()) alertOldAspVersion(msg, id);
+        if (!v.isLatestAspNetVersion()) alertOldAspVersion().raise();
 
         List<ViewstateAnalyzerResult> listOfMatches = ViewstateAnalyzer.getSearchResults(v, this);
         for (ViewstateAnalyzerResult var : listOfMatches) {
-            if (var.hasResults()) alertViewstateAnalyzerResult(msg, id, var);
+            if (var.hasResults()) alertViewstateAnalyzerResult(var).raise();
         }
 
-        if (v.isSplit()) alertSplitViewstate(msg, id);
+        if (v.isSplit()) alertSplitViewstate().raise();
     }
 
-    private void alertViewstateAnalyzerResult(
-            HttpMessage msg, int id, ViewstateAnalyzerResult var) {
-        newAlert()
+    private AlertBuilder alertViewstateAnalyzerResult(ViewstateAnalyzerResult var) {
+        return newAlert()
                 .setName(var.pattern.getAlertHeader())
                 .setRisk(Alert.RISK_MEDIUM)
                 .setConfidence(Alert.CONFIDENCE_MEDIUM)
                 .setDescription(var.pattern.getAlertDescription())
                 .setOtherInfo(var.getResultExtract().toString())
                 .setSolution(getSolution())
                 .setCweId(16) // CWE Id 16 - Configuration
-                .setWascId(14) // WASC Id - Server Misconfiguration
-                .raise();
+                .setWascId(14); // WASC Id - Server Misconfiguration
     }
 
-    private void alertOldAspVersion(HttpMessage msg, int id) {
-        newAlert()
+    private AlertBuilder alertOldAspVersion() {
+        return newAlert()
                 .setName(Constant.messages.getString(MESSAGE_PREFIX + "oldver.name"))
                 .setRisk(Alert.RISK_LOW)
                 .setConfidence(Alert.CONFIDENCE_MEDIUM)
                 .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "oldver.desc"))
                 .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "oldver.soln"))
                 .setCweId(16) // CWE Id 16 - Configuration
-                .setWascId(14) // WASC Id - Server Misconfiguration
-                .raise();
+                .setWascId(14); // WASC Id - Server Misconfiguration
     }
 
     // TODO: see if this alert triggers too often, as the detection rule is far from being robust
     // for the moment
-    private void alertNoMACUnsure(HttpMessage msg, int id) {
-        newAlert()
+    private AlertBuilder alertNoMACUnsure() {
+        return newAlert()
                 .setName(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.name"))
                 .setRisk(Alert.RISK_HIGH)
                 .setConfidence(Alert.CONFIDENCE_LOW)
                 .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.desc"))
                 .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.soln"))
                 .setReference(Constant.messages.getString(MESSAGE_PREFIX + "nomac.unsure.refs"))
                 .setCweId(642) // CWE Id 642 - External Control of Critical State Data
-                .setWascId(14) // WASC Id - Server Misconfiguration
-                .raise();
+                .setWascId(14); // WASC Id - Server Misconfiguration
     }
 
-    private void alertNoMACforSure(HttpMessage msg, int id) {
-        newAlert()
+    private AlertBuilder alertNoMACforSure() {
+        return newAlert()
                 .setName(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.name"))
                 .setRisk(Alert.RISK_HIGH)
                 .setConfidence(Alert.CONFIDENCE_MEDIUM)
                 .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.desc"))
                 .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.soln"))
                 .setReference(Constant.messages.getString(MESSAGE_PREFIX + "nomac.sure.refs"))
                 .setCweId(642) // CWE Id 642 - External Control of Critical State Data
-                .setWascId(14) // WASC Id - Server Misconfiguration
-                .raise();
+                .setWascId(14); // WASC Id - Server Misconfiguration
     }
 
-    private void alertSplitViewstate(HttpMessage msg, int id) {
-        newAlert()
+    private AlertBuilder alertSplitViewstate() {
+        return newAlert()
                 .setName(Constant.messages.getString(MESSAGE_PREFIX + "split.name"))
                 .setRisk(Alert.RISK_INFO)
                 .setConfidence(Alert.CONFIDENCE_LOW)
                 .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "split.desc"))
                 .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "split.soln"))
                 .setCweId(16) // CWE Id 16 - Configuration
-                .setWascId(14) // WASC Id - Server Misconfiguration
-                .raise();
+                .setWascId(14); // WASC Id - Server Misconfiguration
+    }
+
+    public List<Alert> getExampleAlerts() {
+        List<Alert> alerts = new ArrayList<Alert>();
+        alerts.add(
+                alertViewstateAnalyzerResult(
+                                new ViewstateAnalyzerResult(ViewstateAnalyzerPattern.IPADDRESS) {
+                                    @Override
+                                    public Set<String> getResultExtract() {
+                                        return Collections.emptySet();
+                                    }
+                                })
+                        .build());
+        alerts.add(
+                alertViewstateAnalyzerResult(
+                                new ViewstateAnalyzerResult(ViewstateAnalyzerPattern.EMAIL) {
+                                    @Override
+                                    public Set<String> getResultExtract() {
+                                        return Collections.emptySet();
+                                    }
+                                })
+                        .build());
+        alerts.add(alertOldAspVersion().build());
+        alerts.add(alertNoMACUnsure().build());
+        alerts.add(alertNoMACforSure().build());
+        alerts.add(alertSplitViewstate().build());
+        return alerts;
     }
 
     @Override

addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XFrameOptionScanRule.java

@@ -19,6 +19,7 @@
  */
 package org.zaproxy.zap.extension.pscanrules;
 
+import java.util.ArrayList;
 import java.util.List;
 import net.htmlparser.jericho.Element;
 import net.htmlparser.jericho.HTMLElementName;
@@ -92,34 +93,34 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
                     if (xFrameOptionParam.toLowerCase().indexOf("deny") < 0
                             && xFrameOptionParam.toLowerCase().indexOf("sameorigin") < 0
                             && xFrameOptionParam.toLowerCase().indexOf("allow-from") < 0) {
-                        raiseAlert(msg, id, xFrameOptionParam, VulnType.XFO_MALFORMED_SETTING);
+                        buildAlert(xFrameOptionParam, VulnType.XFO_MALFORMED_SETTING).raise();
                     }
                 }
                 if (xFrameOption.size() > 1) { // Multiple headers
-                    raiseAlert(msg, id, "", VulnType.XFO_MULTIPLE_HEADERS);
+                    buildAlert("", VulnType.XFO_MULTIPLE_HEADERS).raise();
                 }
             } else {
-                raiseAlert(msg, id, "", VulnType.XFO_MISSING);
+                buildAlert("", VulnType.XFO_MISSING).raise();
             }
 
             String metaXFO = getMetaXFOEvidence(source);
 
             if (metaXFO != null) {
                 // XFO found defined by META tag
-                raiseAlert(msg, id, metaXFO, VulnType.XFO_META);
+                buildAlert(metaXFO, VulnType.XFO_META).raise();
             }
         }
     }
 
-    private void raiseAlert(HttpMessage msg, int id, String evidence, VulnType currentVT) {
+    private AlertBuilder buildAlert(String evidence, VulnType currentVT) {
         int risk = Alert.RISK_MEDIUM;
         String other = "";
         if (this.includedInCsp) {
             risk = Alert.RISK_LOW;
             other = Constant.messages.getString(MESSAGE_PREFIX + "incInCsp");
         }
 
-        newAlert()
+        return newAlert()
                 .setName(getAlertElement(currentVT, "name"))
                 .setRisk(risk)
                 .setConfidence(Alert.CONFIDENCE_MEDIUM)
@@ -130,8 +131,7 @@ private void raiseAlert(HttpMessage msg, int id, String evidence, VulnType curre
                 .setReference(getAlertElement(currentVT, "refs"))
                 .setEvidence(evidence)
                 .setCweId(16) // CWE-16: Configuration
-                .setWascId(15) // WASC-15: Application Misconfiguration
-                .raise();
+                .setWascId(15); // WASC-15: Application Misconfiguration
     }
 
     @Override
@@ -188,4 +188,12 @@ private String getMetaXFOEvidence(Source source) {
         }
         return null;
     }
+
+    public List<Alert> getExampleAlerts() {
+        List<Alert> alerts = new ArrayList<Alert>();
+        for (VulnType vulnType : VulnType.values()) {
+            alerts.add(buildAlert("", vulnType).build());
+        }
+        return alerts;
+    }
 }