You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Requires Passive Scanning Alpha in order to have the "Information Disclosure - Drupal Hash (Passive 100010).
A woff2 font file (and by extent, other files too?) content may contains strings that would trigger the regex
Here is what triggered this regex in my case : $½$�u°+ºº¥nu÷�{ûJ�0»2�¼ó¬$Ó���ë¾}'�d>æüºJV�õmMd�Ò��öVU<
As far as I know Drupal hashes are alphanumeric only.
Maybe a more restrictive regex like some others in the same file could do the job.
Steps to reproduce the behavior
Have ZAP passive scan analyze a response with the content of a woff2 font file.
If the file happens to contain a string starting with $ followed by a char, then another $ , and whatever 52 other char then the request is going to be tagged as "Information Disclosure - Drupal Hash".
Expected behavior
As the content of a font file has nothing to do with a Drupal hash, this alert should not be raised.
Software versions
ZAP 2.15.0 Desktop
Screenshots
No response
Errors from the zap.log file
No response
Additional context
Passive Scanner Alpha v42.0.0
Would you like to help fix this issue?
Yes
The text was updated successfully, but these errors were encountered:
With some quick research I did find that it always literally starts with $S followed to upper/lower alpha-numeric plus /. 52 char. So the regex could be better, there's probably a number of content/file types that can be ignored or excluded like the core hash rule.
Describe the bug
False Positive:
Requires Passive Scanning Alpha in order to have the "Information Disclosure - Drupal Hash (Passive 100010).
A woff2 font file (and by extent, other files too?) content may contains strings that would trigger the regex
community-scripts/passive/Find Hashes.js
Line 60 in bf5135a
Here is what triggered this regex in my case :
$½$�u°+ºº¥nu÷�{ûJ�0»2�¼ó¬$Ó���ë¾}'�d>æüºJV�õmMd�Ò��öVU<
As far as I know Drupal hashes are alphanumeric only.
Maybe a more restrictive regex like some others in the same file could do the job.
Steps to reproduce the behavior
$
followed by a char, then another$
, and whatever 52 other char then the request is going to be tagged as "Information Disclosure - Drupal Hash".Expected behavior
As the content of a font file has nothing to do with a Drupal hash, this alert should not be raised.
Software versions
ZAP 2.15.0 Desktop
Screenshots
No response
Errors from the zap.log file
No response
Additional context
Passive Scanner Alpha v42.0.0
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: