ascanrulesBeta: Insecure HTTP Method rule - Address potential FP

[kingthorin]

Overview

• Remove unnecessary try/catch when raising alert.
• Move always used variable assignment to be a constant.
• Ensure Evidence values are literal and not assembled.
• Adjust Confidence when findings are based on 40x authn/authz type responses.
• Corrected regex quantifier on third party content matching.
• May now raise more alerts because the HTTP method/verb comparison previously may have been values with leading or trailing space which would not have matched.

[psiinon]

Checkmarx One – Scan Summary & Details – a25459c8-4288-4ac5-bad2-c3dc49e0ab6e

New Issues (12)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-53990	Maven-org.asynchttpclient:async-http-client-2.12.3	details Recommended version: 2.12.4 Description: The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making a... Attack Vector: NETWORK Attack Complexity: HIGH ID: m5ypO9rQ4ox8ZOSwRBouhgqPgWtouFfeq3HIMS4ueLI%3D Vulnerable Package
	CVE-2017-9096	Maven-com.lowagie:itext-2.1.7	details Description: The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML ext... Attack Vector: NETWORK Attack Complexity: LOW ID: %2Fh3n%2B6%2FOAjPysxX%2BPcuJWCQajD9UBZxTXilp0cc4dqY%3D Vulnerable Package
	CVE-2020-36518	Maven-com.fasterxml.jackson.core:jackson-databind-2.13.1	details Recommended version: 2.13.4.1 Description: jackson-databind before 2.12.6.1 and 2.13.x before 2.13.2.1 allows a Java StackOverflow exception and denial of service via a large depth of neste... Attack Vector: NETWORK Attack Complexity: LOW Exploitable Path: readValue@...nrules/ScanRuleMetadata.java - ... - mapArray@...ntypedObjectDeserializer.java ID: mPSz3PWUUf5IcsVplLMqkQVmEtNcy7uRohfyd647JBQ%3D Vulnerable Package
	CVE-2022-4065	Maven-org.testng:testng-7.5	details Recommended version: 7.5.1 Description: A vulnerability was found in cbeust testng. It has been declared as critical. Affected by this vulnerability is the function "testngXmlExistsInJar"... Attack Vector: LOCAL Attack Complexity: LOW ID: XA%2B17Z54GH0OU2sreqYmLo2RGTYVcyelPS%2FB8eLBLLM%3D Vulnerable Package
	CVE-2022-42003	Maven-com.fasterxml.jackson.core:jackson-databind-2.13.1	details Recommended version: 2.13.4.1 Description: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avo... Attack Vector: NETWORK Attack Complexity: LOW Exploitable Path: readValue@...nrules/ScanRuleMetadata.java - ... - _parseBooleanPrimitive@...serializer.java ID: uISb6GThKmT61FIb4DKK59KXoGuzdiMCGpSXY3%2BHpdE%3D Vulnerable Package
	CVE-2022-42004	Maven-com.fasterxml.jackson.core:jackson-databind-2.13.1	details Recommended version: 2.13.4.1 Description: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in "BeanDeserializer._deserializeFromArray"... Attack Vector: NETWORK Attack Complexity: LOW Exploitable Path: readValue@...nrules/ScanRuleMetadata.java - ... - _deserializeFromArray@...eserializer.java ID: w9O0Jn%2FXEpRMWXZLtawTDbvxhU4xVReYty6q1Nb9%2FMM%3D Vulnerable Package
	CVE-2024-7254	Maven-com.google.protobuf:protobuf-java-3.25.1	details Recommended version: 3.25.5 Description: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups/series of SGROUP tags can corrupted by exce... Attack Vector: NETWORK Attack Complexity: LOW Exploitable Path: toString@...oBufNestedMessageDecoder.java - ... - mergeOneFieldFrom@...nownFieldSchema.java ID: YUZkmmxz8aiNB%2B0Y%2FWLppb6H3pF9UA7ShNJsgAyzvqg%3D Vulnerable Package
	CVE-2025-52999	Maven-com.fasterxml.jackson.core:jackson-core-2.13.1	details Recommended version: 2.15.0 Description: The jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions pr... Attack Vector: NETWORK Attack Complexity: LOW Exploitable Path: skipChildren@.../har/HarImporterType.java - ... - nextToken@...n/ReaderBasedJsonParser.java ID: DQ3XnEHSlNtGZ4ZFYWUi7CloDNWQgu2igyMNdXKj6Pw%3D Vulnerable Package
	CVE-2018-10237	Maven-com.google.guava:guava-19.0	details Recommended version: 32.0.0.jre-redhat-00001 Description: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against se... Attack Vector: NETWORK Attack Complexity: HIGH ID: t26hpgMlKTk%2Bhxt9aUwckPWQ9CLevbm%2BM%2FNPDdXv10s%3D Vulnerable Package
	CVE-2022-24823	Maven-io.netty:netty-common-4.1.73.Final	details Recommended version: 4.1.108.Final-redhat-00002 Description: Netty is an open-source, asynchronous event-driven network application framework. The packages `io.netty:netty-all` and `io.netty:netty-common` 4.1... Attack Vector: LOCAL Attack Complexity: LOW ID: WPBtE1i%2B9LAxk8qnwdptrh6XXxkts9q%2FRiZpIueZpG0%3D Vulnerable Package
	CVE-2023-34462	Maven-io.netty:netty-handler-4.1.73.Final	details Recommended version: 4.1.118.Final Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clien... Attack Vector: NETWORK Attack Complexity: LOW ID: SWmP9dlEkBYTgxSbzoGhDsl1sxKt5BkoaZopUM8I7O0%3D Vulnerable Package
	Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 64	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... ID: atCyvEBdIHIXTFZfXUh2F6WGL5g%3D Attack Vector

Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Use_Of_Hardcoded_Password	/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java: 173
	Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 65
	Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 68
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 1357
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 1375
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 1328
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 1312

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

[thc202]

It's unclear to me what's this is trying to achieve, address an FP or introduce more FPs?

[kingthorin]

Hahaha okay. I'll revert the trim bit and just document it with a comment for future changes?

[thc202]

I'm referring to https://github.com/zaproxy/zap-extensions/pull/6778/files#diff-6b4885190875eb72259b3b356fa59cd8f595e66f5bd2b4afc7297e630b2e2a60L595-L596

[kingthorin]

Thank you for being specific, I'll review why I removed that. (It may have simply been a testing change that I forgot to revert before pushing.)

[kingthorin]

Addressed.

[kingthorin]

Back to draft, just found another issue.

[kingthorin]

It was a smaller issue than I initially thought, should be good to go now.