Skip to content

Commit

Permalink
Merge pull request #5926 from kingthorin/ascanb-cwe-200
Browse files Browse the repository at this point in the history 
ascanrulesBeta: Replace usage of CWE-200
  • Loading branch information
@thc202
thc202 authored Nov 25, 2024
2 parents 4191987 + 8e8201b commit 89954b5
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 4 deletions.
5 changes: 5 additions & 0 deletions addOns/ascanrulesBeta/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- The following scan rules now use more specific CWE IDs:
- Proxy Disclosure (Issue 8713)
- Possible Username Enumeration (Issue 8715)

### Fixed
- Address exception when scanning a message without path with Possible Username Enumeration scan rule.
- The WSTG alert tags on the HTTP Only Site scan rule.
Expand Down
2 changes: 1 addition & 1 deletion ...sBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -784,7 +784,7 @@ public int getRisk() {

@Override
public int getCweId() {
return 200; // Information Exposure (primarily via TRACE / OPTIONS / TRACK)
return 204; // Observable Response Discrepancy
}

@Override
Expand Down
2 changes: 1 addition & 1 deletion ...a/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -745,7 +745,7 @@ private static boolean shouldContinue(List<Context> contextList) {

@Override
public int getCweId() {
return 200; // CWE-200: Information Exposure
return 204; // CWE-204: Observable Response Discrepancy
}

@Override
Expand Down
2 changes: 1 addition & 1 deletion ...c/test/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ void shouldReturnExpectedMappings() {
int wasc = rule.getWascId();
Map<String, String> tags = rule.getAlertTags();
// Then
assertThat(cwe, is(equalTo(200)));
assertThat(cwe, is(equalTo(204)));
assertThat(wasc, is(equalTo(45)));
assertThat(tags.size(), is(equalTo(2)));
assertThat(
Expand Down
2 changes: 1 addition & 1 deletion ...st/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRuleUnitTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ void shouldReturnExpectedMappings() {
int wasc = rule.getWascId();
Map<String, String> tags = rule.getAlertTags();
// Then
assertThat(cwe, is(equalTo(200)));
assertThat(cwe, is(equalTo(204)));
assertThat(wasc, is(equalTo(13)));
assertThat(tags.size(), is(equalTo(3)));
assertThat(
Expand Down

0 comments on commit 89954b5

Please sign in to comment.