Scripts which are included by default in the add-on and they implement the following WebSocket passive scan rules:
This script analyzes incoming WebSocket message payload for Base64 strings. The encoded information may include sensitive data which may not specifically meant for end user consumption.
The regular expression which is used to identify the Base64 string is based on padding characters. As result False Negative may occur if the encoded string has length N bits where (N)mod6 = 0. On the other hand, False Positives may occur if the input text contains strings ending with ‘=’.
Examples:
| Original | Payload | Outcome |
|---|---|---|
| Hello World | SGVsbG8gV29ybGQ= | True Positive |
| Hello World | THIS_ISSGVsbG8gV29ybGQ=TEXT | True Positive |
| Hello World! | SGVsbG8gV29ybGQK | False Negative |
| 122==122 | Invalid | False Positive |
Default Values:
| Risk | Info |
| Confidence | Medium |
This passive scanner checks incoming WebSocket message payload for known Application Error messages. Access to such details may provide a malicious individual with means by which to further abuse the web site. They may also leak data not specifically meant for end user consumption.
Examples:
| Use case | Outcome |
|---|---|
| Warning: Cannot modify header information - headers already sent | True Positive |
| ’this’ is null or not an object | True Positive |
| System.Data.OleDb.OleDbException: Syntax error in string in query expression ‘User ID = ? And Password = ?’ | True Positive |
Default Values:
| Risk | Medium |
| Confidence | Medium |
| CWE ID | 209: Information Exposure Through an Error Message |
| WASC ID | 13: Information Leakage |
This script scans for the presence of Personally Information Identifiable in incoming WebSocket message payload. More specifically, it passively scans payload for credit card numbers. The available scans are for the following credit card types: {American Express, Diners Club, Discover, Jcb, Maestro, Master Card, Visa}.
Examples:
| Use case | Outcome |
|---|---|
| 5264 8109 66944441 | True Positive |
| {“z”:0.4333009597918351} | False Positive |
Default Values:
| Risk | High |
| Confidence | High |
| CWE ID | 359: Exposure of Private Information (‘Privacy Violation’) |
| WASC ID | 13: Information Leakage |
This script checks the incoming WebSocket message payload for known Debug Error message fragments. Access to such details may provide a malicious individual with means by which to further abuse the web site. They may also leak data not specifically meant for end user consumption.
Examples:
| Use case | Outcome |
|---|---|
| Error Occurred While Processing Request | True Positive |
| PHP Warning: Error While Sending QUERY Packet | True Positive |
Default Values:
| Risk | Info |
| Confidence | Medium |
| CWE ID | 200: Information Exposure |
| WASC ID | 13: Info Leakage |
This script scans incoming WebSocket messages for email addresses. Email addresses may be not specifically meant for end user consumption.
Default Values:
| Risk | Info |
| Confidence | Info |
| CWE ID | 200: Information Exposure |
| WASC ID | 13: Information Leakage |
This script checks incoming WebSocket messages payloads, which are XML formatted, for suspicious comments. The comments it is searching for are relevant to components with which an attacker can extract useful information. Comments like FIXME, BUG, etc. might be helpful for further attacks targeting the weaknesses of the web application.
Examples:
| Use case | Outcome |
|---|---|
<xml_test><!-- This is a comments section --></xml_test> |
True Negative |
<user_form><!-- FIXME: Encode --></user_form> |
True Positive |
Default Values:
| Risk | Info |
| Confidence | Medium |
| CWE ID | 200: Information Exposure |
| WASC ID | 13: Info Leakage |
Checks incoming WebSocket message payload for inclusion of RFC 1918 IPv4 addresses as well as Amazon EC2 private hostnames (for example, ip-10-0-56-78). This information can give an attacker useful information about the IP address scheme of the internal network, and might be helpful for further attacks targeting internal systems.
This passive scanner may generate false positives in the case of larger dotted numeric strings, such as vp09.02.51.10.01.09.16, where the latter 4 octets appear to be a RFC 1918 IPv4 address. After review an analyst can mark such alerts as False Positives in ZAP.
Examples:
| Use case | Outcome |
|---|---|
| 10.255.255.255 | True Positive |
| ip-10.0.0.0 | True Positive |
Default Values:
| Risk | Low |
| Confidence | Medium |
Checks incoming WebSocket message payload for usernames. This script can find usernames which are hashed with the following methods: {MD2, MD5, SHA256, SHA384, SHA512}. The usernames have to be defined in any context before. In order to a add user in a Context follow the steps below:
Default Values:
| Risk | Info |
| Confidence | High |
| CWE ID | 284: Improper Access Control |
| WASC ID | 2: Insufficient Authorization |