pscanrules: Update CSRF countermeasures rule to consider only html files #4833
Conversation
thc202
changed the title
|
There should be a test showing that non-HTML does not raise an alert. The help should be updated to mention that non-HTML content will not be checked. It's better to ask first in the issue when it's already assigned to avoid duplicating efforts. |
.../src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
|
I'm not sure this is the right approach because csrf on image, pdf, csv, Excel, etc is a potential DoS issue. I'd rather it simply exclude js and css. |
My understanding is that the rule is specific for HTML forms, so the concern here would be about embedded HTML forms in those types of responses? If so, should we make the same change to the active CSRF rule? |
|
You're right. I was thinking "response" but it's the response to the POST (or whatever) that I'm concerned about not the actual response that contains the form in question. So yes you're correct. Sorry. |
|
No worries. And thanks to both of you for the quick reviews and responses. What an awesome project and team 😄 |
.../src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
|
To address the DCO requirement you'll need to sign-off the commit(s): |
gustavocovas
force-pushed
the
pscan-csrf-html-only
branch
from
c459768 to
a2ab607
Compare
|
Folks, I believe I addressed all the comments. Should I squash the commits? |
.../src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
.../src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java
Outdated
Show resolved
Hide resolved
|
This needs to be rebased and the changelog entry added to the latest Unreleased section. |
|
To address the DCO requirement you'll need to sign-off the commit(s): |
Signed-off-by: gustavo <[email protected]>
Signed-off-by: gustavo <[email protected]>
Signed-off-by: gustavo <[email protected]>
Signed-off-by: gustavo <[email protected]>
gustavocovas
force-pushed
the
pscan-csrf-html-only
branch
from
95a09aa to
74f9797
Compare
|
Thank you! |
|
Thanks! |
|
@gustavocovas how would you like to be credited (e.g. name, handle)? |
|
It can be "Gustavo Covas (@gustavocovas)" |
|
Thanks, I'll tackle that Monday morning. |
Per: zaproxy/zap-extensions#4833 (comment) Signed-off-by: kingthorin <[email protected]>
Per: zaproxy/zap-extensions#4833 (comment) and zaproxy/zap-extensions#4865 (comment) Signed-off-by: kingthorin <[email protected]>
Per: zaproxy/zap-extensions#4833 (comment) and zaproxy/zap-extensions#4865 (comment) Signed-off-by: kingthorin <[email protected]>
Overview
Updated the passive scan CRSF countermeasures rule to consider only HTML files, as discussed in zaproxy/zaproxy#7890
I know that it is currently assigned for @FiveOFive, but I saw this as an opportunity for my first contribution (hope that it is ok)
Related Issues
zaproxy/zaproxy#7890
Checklist
./gradlew spotlessApplyfor code formattingFor more details, please refer to the developer rules and guidelines.