Skip to content

Commit

Permalink
Merge pull request #5859 from kingthorin/ac-addon
Browse files Browse the repository at this point in the history
various: Standardize add-on vs addon in help
  • Loading branch information
psiinon authored Oct 31, 2024
2 parents 0921211 + 03b3f74 commit d19d7d0
Show file tree
Hide file tree
Showing 9 changed files with 13 additions and 11 deletions.
1 change: 1 addition & 0 deletions addOns/accessControl/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
### Changed
- Update minimum ZAP version to 2.15.0.
- Maintenance changes.

## [10] - 2024-03-25
### Changed
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ <H3 id="id-10102">Access Control Issue - Improper Authorization</H3>

<H2>API</H2>

The Addon exposes the following API endpoints:
The add-on exposes the following API endpoints:

<H3>Actions</H3>
<H4>scan</H4>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ <H2 id="id-40035">Hidden File Finder</H2>
The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel.
For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to
the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
<p>
Expand Down Expand Up @@ -443,7 +443,7 @@ <H2 id="id-40029">Trace.axd Information Leak</H2>

<H2 id="id-10104">User Agent Fuzzer</H2>
This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
<br>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
<BODY>
<H1>Custom Payloads</H1>

This addon adds an Options panel from which users are able to add, update, remove payloads of their creation/choosing for use by active or passive scan rules
This add-on adds an Options panel from which users are able to add, update, remove payloads of their creation/choosing for use by active or passive scan rules
which support custom payloads (accessible via the Tools menu Options menu item).
<p>
The option panel interface also facilitates addition of multiple payloads from a file.
Expand Down
3 changes: 2 additions & 1 deletion addOns/grpc/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased

### Changed
- Maintenance changes.

## [0.2.0] - 2024-07-02

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ <h3 >Field Structure</h3>
<h2 >Let&#39;s understand the decoded Protobuf Message Structure using below example</h2>
<p>This is the Base64 encoded form of the binary text received by ZAP.</p>
<p>AAAAAIYJZCZMzMzcXkAVrseHQhi5YCDqrcDlJCixqAM1QEIPADOQSGVsbG8sIFByb3RvYnVmIUJMCgsxMjMgTWFpbiBTdBIGT X1DaXR5GgUxMjMONSIuCgtIZWxsbyBXb3JsZBIITXkgV29ybGQaCllvdXIgV29ybGQiCU91ciBXb3JsZEjqrcDLJA==</p>
<p>On the left side, we have the original message retrieved by the gRPC endpoint in the backend. On the right side, we have the decoded message from the above encoded text, processed by the ZAP gRPC addon.</p>
<p>On the left side, we have the original message retrieved by the gRPC endpoint in the backend. On the right side, we have the decoded message from the above encoded text, processed by the ZAP gRPC add-on.</p>
<p><img src="../../common/images/original-message.png" alt="OriginalMessage" width="400"/> <img src="../../common/images/decoded-message.png" alt="DecodedMessage" width="400"/></p>
<ul>
<li>Each field in the message is represented as &quot;field number:wire type::value&quot;.</li>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ <H2 id="id-90022">Application Errors</H2>
At HIGH Threshold don’t alert on HTTP 500 (but do for other error patterns). Also, such known error strings are much less likely to be relevant in static pages like JS / CSS so these files are only scanned at LOW threshold.<br>
For Internal Server Error (HTTP 500) the Alert is set to Low risk and in other case it is set to Medium risk.

<p><strong>Note:</strong> If the Custom Payloads addon is installed you can add your own Application Error strings (payloads) in the Custom Payloads options panel.
<p><strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own Application Error strings (payloads) in the Custom Payloads options panel.
They will also be searched for in responses as they're passively scanned. Keep in mind that the greater the number of payloads the greater the
amount of time needed to passively scan.
<p>It is also possible to add patterns to the <code>xml/application_errors.xml</code> file in ZAP's user directory.<br>
Expand Down Expand Up @@ -310,7 +310,7 @@ <H2 id="id-10025">Information Disclosure: Referrer</H2>
<H2 id="id-10027">Information Disclosure: Suspicious Comments</H2>
Analyzes web content to identify comments which contain potentially sensitive details. Which may lead to
further attack or exposure of unintended data.
<p><strong>Note:</strong> The strings to look for can be extended by using the Custom Payloads addon.
<p><strong>Note:</strong> The strings to look for can be extended by using the Custom Payloads add-on.
<p>
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java">InformationDisclosureSuspiciousCommentsScanRule.java</a>
<br>
Expand Down Expand Up @@ -506,7 +506,7 @@ <H2 id="id-10043">User Controllable Javascript Event (XSS)</H2>

<H2 id="id-10057">Username Hash Found</H2>
If any context contains defined users this scan rule checks all responses for the presence of hashed values representing those usernames.
<p><strong>Note:</strong> If the Custom Payloads addon is installed you can add your own Username strings (payloads) in the Custom Payloads options panel.
<p><strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own Username strings (payloads) in the Custom Payloads options panel.
They will also be hashed and searched for in responses as they're passively scanned. Keep in mind that the greater the number of payloads the greater the
amount of time needed to passively scan. (The default payloads are "Admin" and "admin".)<br>
<p>Discovery of any such value may represent an Insecure Direct Object Reference (IDOR) vulnerability. Alerts are only raised as informational items as further manual testing is required in order to confirm and assess impact.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ <H2 id="id-10049">Content Cacheability</H2>

<H2 id="id-10110">Dangerous JS Functions</H2>
This scan rule checks for any dangerous JS functions present in a site response.<br>
<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own function names (payloads) in the Custom Payloads options panel.
<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own function names (payloads) in the Custom Payloads options panel.
They will also be searched for in responses as they're passively scanned. Keep in mind that the greater the number of payloads the greater the amount of time needed to passively scan.
<br>
<strong>Note:</strong> &dollar; is stripped from the start of the strings/payloads and is optionally included when the patterns are assembled.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ <H3>Record a new Zest script Button</H3>
<br><br>
You can also right click any Stand Alone Zest script and use the 'Start recording' and 'Stop recording' buttons.
<br><br>
There are two primary methods for script recording: server-side and client-side. For client-side recording, we leverage the ZAP browser extension and a dedicated client Addon.
There are two primary methods for script recording: server-side and client-side. For client-side recording, we leverage the ZAP browser extension and a dedicated client add-on.
<br>
This combination allows us to efficiently capture and save user interactions in Zest scripts.

Expand Down

0 comments on commit d19d7d0

Please sign in to comment.