Skip to content

Add TEST_TIMING alert tag #6015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
psiinon merged 1 commit into from
Jul 7, 2025
Merged

Add TEST_TIMING alert tag #6015

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions addOns/ascanrules/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Added
- Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
- The Cloud Metadata Potentially Exposed scan rules now has a CWE reference.
- Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag.

## [72] - 2025-06-20
### Added
Expand Down
33 changes: 20 additions & 13 deletions ...canrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,8 @@ public class CommandInjectionScanRule extends AbstractAppParamPlugin
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ,
CommonAlertTag.HIPAA,
CommonAlertTag.PCI_DSS));
CommonAlertTag.PCI_DSS,
CommonAlertTag.TEST_TIMING));
alertTags.put(PolicyTag.API.getTag(), "");
alertTags.put(PolicyTag.DEV_CICD.getTag(), "");
alertTags.put(PolicyTag.DEV_STD.getTag(), "");
Expand Down Expand Up @@ -370,6 +371,16 @@ public Map<String, String> getAlertTags() {
return ALERT_TAGS;
}

private Map<String, String> getNeededAlertTags(TestType type) {
if (TestType.FEEDBACK.equals(type)) {
Map<String, String> alertTags = new HashMap<>();
alertTags.putAll(getAlertTags());
alertTags.remove(CommonAlertTag.TEST_TIMING.getTag());
return alertTags;
}
return getAlertTags();
}

@Override
public int getCweId() {
return 78;
Expand Down Expand Up @@ -585,9 +596,9 @@ private boolean testCommandInjection(
"[OS Command Injection Found] on parameter [{}] with value [{}]",
paramName,
paramValue);
String otherInfo = getOtherInfo(TestType.FEEDBACK, paramValue);

buildAlert(paramName, paramValue, matcher.group(), otherInfo, msg).raise();
buildAlert(paramName, paramValue, matcher.group(), TestType.FEEDBACK, msg)
.raise();

// All done. No need to look for vulnerabilities on subsequent
// payloads on the same request (to reduce performance impact)
Expand Down Expand Up @@ -670,10 +681,9 @@ private boolean testCommandInjection(
"[Blind OS Command Injection Found] on parameter [{}] with value [{}]",
paramName,
paramValue);
String otherInfo = getOtherInfo(TestType.TIME, paramValue);

// just attach this alert to the last sent message
buildAlert(paramName, paramValue, "", otherInfo, message.get()).raise();
buildAlert(paramName, paramValue, "", TestType.TIME, message.get()).raise();

// All done. No need to look for vulnerabilities on subsequent
// payloads on the same request (to reduce performance impact)
Expand Down Expand Up @@ -722,25 +732,22 @@ private static String insertUninitVar(String cmd) {
}

private AlertBuilder buildAlert(
String param, String attack, String evidence, String otherInfo, HttpMessage msg) {
String param, String attack, String evidence, TestType type, HttpMessage msg) {
String otherInfo = getOtherInfo(type, attack);
return newAlert()
.setConfidence(Alert.CONFIDENCE_MEDIUM)
.setParam(param)
.setAttack(attack)
.setEvidence(evidence)
.setMessage(msg)
.setOtherInfo(otherInfo);
.setOtherInfo(otherInfo)
.setTags(getNeededAlertTags(type));
}

@Override
public List<Alert> getExampleAlerts() {
return List.of(
buildAlert(
"qry",
"a;cat /etc/passwd ",
"root:x:0:0",
getOtherInfo(TestType.FEEDBACK, "a;cat /etc/passwd "),
null)
buildAlert("qry", "a;cat /etc/passwd ", "root:x:0:0", TestType.FEEDBACK, null)
.build());
}
}
3 changes: 2 additions & 1 deletion ...es/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,8 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
CommonAlertTag.HIPAA,
CommonAlertTag.PCI_DSS));
CommonAlertTag.PCI_DSS,
CommonAlertTag.TEST_TIMING));
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
alertTags.put(PolicyTag.QA_STD.getTag(), "");
alertTags.put(PolicyTag.QA_FULL.getTag(), "");
Expand Down
3 changes: 2 additions & 1 deletion ...anrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,8 @@ public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
CommonAlertTag.HIPAA,
CommonAlertTag.PCI_DSS));
CommonAlertTag.PCI_DSS,
CommonAlertTag.TEST_TIMING));
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
alertTags.put(PolicyTag.QA_STD.getTag(), "");
alertTags.put(PolicyTag.QA_FULL.getTag(), "");
Expand Down
3 changes: 2 additions & 1 deletion ...anrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,8 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
CommonAlertTag.HIPAA,
CommonAlertTag.PCI_DSS));
CommonAlertTag.PCI_DSS,
CommonAlertTag.TEST_TIMING));
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
alertTags.put(PolicyTag.QA_STD.getTag(), "");
alertTags.put(PolicyTag.QA_FULL.getTag(), "");
Expand Down
3 changes: 2 additions & 1 deletion ...nrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,8 @@ public class SqlInjectionOracleScanRule extends AbstractAppParamPlugin
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
CommonAlertTag.HIPAA,
CommonAlertTag.PCI_DSS));
CommonAlertTag.PCI_DSS,
CommonAlertTag.TEST_TIMING));
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
alertTags.put(PolicyTag.QA_STD.getTag(), "");
alertTags.put(PolicyTag.QA_FULL.getTag(), "");
Expand Down
3 changes: 2 additions & 1 deletion ...rules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,8 @@ public class SqlInjectionPostgreScanRule extends AbstractAppParamPlugin
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
CommonAlertTag.HIPAA,
CommonAlertTag.PCI_DSS));
CommonAlertTag.PCI_DSS,
CommonAlertTag.TEST_TIMING));
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
alertTags.put(PolicyTag.QA_STD.getTag(), "");
alertTags.put(PolicyTag.QA_FULL.getTag(), "");
Expand Down
16 changes: 15 additions & 1 deletion ...nrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,8 @@ public class SqlInjectionSqLiteScanRule extends AbstractAppParamPlugin
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_05_SQLI,
CommonAlertTag.HIPAA,
CommonAlertTag.PCI_DSS));
CommonAlertTag.PCI_DSS,
CommonAlertTag.TEST_TIMING));
alertTags.put(PolicyTag.QA_FULL.getTag(), "");
alertTags.put(PolicyTag.PENTEST.getTag(), "");
ALERT_TAGS = Collections.unmodifiableMap(alertTags);
Expand Down Expand Up @@ -461,6 +462,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
.setOtherInfo(extraInfo)
.setEvidence(matcher.group())
.setMessage(msgDelay)
.setTags(getNeededAlertTags(true))
.raise();

LOGGER.debug(
Expand Down Expand Up @@ -603,6 +605,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
.setOtherInfo(extraInfo)
.setEvidence(extraInfo)
.setMessage(detectableDelayMessage)
.setTags(getNeededAlertTags(false))
.raise();

if (detectableDelayMessage != null)
Expand Down Expand Up @@ -755,6 +758,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
.setOtherInfo(extraInfo)
.setEvidence(versionNumber)
.setMessage(unionAttackMessage)
.setTags(getNeededAlertTags(true))
.raise();
break unionLoops;
}
Expand Down Expand Up @@ -807,4 +811,14 @@ public int getWascId() {
public Map<String, String> getAlertTags() {
return ALERT_TAGS;
}

private Map<String, String> getNeededAlertTags(boolean isFeedbackBased) {
if (isFeedbackBased) {
Map<String, String> alertTags = new HashMap<>();
alertTags.putAll(getAlertTags());
alertTags.remove(CommonAlertTag.TEST_TIMING.getTag());
return alertTags;
}
return getAlertTags();
}
}
3 changes: 2 additions & 1 deletion addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,8 @@ public class SstiBlindScanRule extends AbstractAppParamPlugin implements CommonA
CommonAlertTag.toMap(
CommonAlertTag.OWASP_2021_A03_INJECTION,
CommonAlertTag.OWASP_2017_A01_INJECTION,
CommonAlertTag.WSTG_V42_INPV_18_SSTI));
CommonAlertTag.WSTG_V42_INPV_18_SSTI,
CommonAlertTag.TEST_TIMING));
alertTags.put(ExtensionOast.OAST_ALERT_TAG_KEY, ExtensionOast.OAST_ALERT_TAG_VALUE);
alertTags.put(PolicyTag.API.getTag(), "");
alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
Expand Down
6 changes: 5 additions & 1 deletion .../src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.hasKey;
import static org.hamcrest.Matchers.hasSize;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.not;
Expand Down Expand Up @@ -95,7 +96,7 @@ void shouldReturnExpectedMappings() {
// Then
assertThat(cwe, is(equalTo(78)));
assertThat(wasc, is(equalTo(31)));
assertThat(tags.size(), is(equalTo(13)));
assertThat(tags.size(), is(equalTo(14)));
assertThat(
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
is(equalTo(true)));
Expand All @@ -107,6 +108,7 @@ void shouldReturnExpectedMappings() {
is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.DEV_CICD.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true)));
Expand Down Expand Up @@ -381,6 +383,8 @@ void shouldHaveExpectedExampleAlert() {
"The scan rule was able to retrieve the content of a file or "
+ "command by sending [a;cat /etc/passwd ] to the operating "
+ "system running this application.")));
Map<String, String> tags = alert.getTags();
assertThat(tags, not(hasKey(CommonAlertTag.TEST_TIMING.getTag())));
}

private static class PayloadCollectorHandler extends NanoServerHandler {
Expand Down
3 changes: 2 additions & 1 deletion ...est/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRuleUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ void shouldReturnExpectedMappings() {
// Then
assertThat(cwe, is(equalTo(89)));
assertThat(wasc, is(equalTo(19)));
assertThat(tags.size(), is(equalTo(10)));
assertThat(tags.size(), is(equalTo(11)));
assertThat(
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
is(equalTo(true)));
Expand All @@ -166,6 +166,7 @@ void shouldReturnExpectedMappings() {
tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
Expand Down
3 changes: 2 additions & 1 deletion ...src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRuleUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ void shouldReturnExpectedMappings() {
// Then
assertThat(cwe, is(equalTo(89)));
assertThat(wasc, is(equalTo(19)));
assertThat(tags.size(), is(equalTo(10)));
assertThat(tags.size(), is(equalTo(11)));
assertThat(
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
is(equalTo(true)));
Expand All @@ -161,6 +161,7 @@ void shouldReturnExpectedMappings() {
tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
Expand Down
3 changes: 2 additions & 1 deletion ...src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ void shouldReturnExpectedMappings() {
// Then
assertThat(cwe, is(equalTo(89)));
assertThat(wasc, is(equalTo(19)));
assertThat(tags.size(), is(equalTo(10)));
assertThat(tags.size(), is(equalTo(11)));
assertThat(
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
is(equalTo(true)));
Expand All @@ -160,6 +160,7 @@ void shouldReturnExpectedMappings() {
tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
Expand Down
3 changes: 2 additions & 1 deletion ...rc/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRuleUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ void shouldReturnExpectedMappings() {
// Then
assertThat(cwe, is(equalTo(89)));
assertThat(wasc, is(equalTo(19)));
assertThat(tags.size(), is(equalTo(10)));
assertThat(tags.size(), is(equalTo(11)));
assertThat(
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
is(equalTo(true)));
Expand All @@ -156,6 +156,7 @@ void shouldReturnExpectedMappings() {
tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
Expand Down
3 changes: 2 additions & 1 deletion ...c/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRuleUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ void shouldReturnExpectedMappings() {
// Then
assertThat(cwe, is(equalTo(89)));
assertThat(wasc, is(equalTo(19)));
assertThat(tags.size(), is(equalTo(10)));
assertThat(tags.size(), is(equalTo(11)));
assertThat(
tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
is(equalTo(true)));
Expand All @@ -169,6 +169,7 @@ void shouldReturnExpectedMappings() {
tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));
Expand Down
Loading