Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Font file string intepreted as Drupal Hash #460

Open
1 task
fzx404 opened this issue Aug 2, 2024 · 1 comment
Open
1 task

Font file string intepreted as Drupal Hash #460

fzx404 opened this issue Aug 2, 2024 · 1 comment

Comments

@fzx404
Copy link

fzx404 commented Aug 2, 2024

Describe the bug

False Positive:

Requires Passive Scanning Alpha in order to have the "Information Disclosure - Drupal Hash (Passive 100010).
A woff2 font file (and by extent, other files too?) content may contains strings that would trigger the regex

var drupal = /(\$\S\$\S{52})/g;

Here is what triggered this regex in my case : $½$�u°+ºº¥nu÷�{ûJ�0»2�¼ó¬$Ó���ë¾}'�d>æüºJV�õmMd�Ò��öVU<
As far as I know Drupal hashes are alphanumeric only.
Maybe a more restrictive regex like some others in the same file could do the job.

Steps to reproduce the behavior

  1. Have ZAP passive scan analyze a response with the content of a woff2 font file.
  2. If the file happens to contain a string starting with $ followed by a char, then another $ , and whatever 52 other char then the request is going to be tagged as "Information Disclosure - Drupal Hash".

Expected behavior

As the content of a font file has nothing to do with a Drupal hash, this alert should not be raised.

Software versions

ZAP 2.15.0 Desktop

Screenshots

No response

Errors from the zap.log file

No response

Additional context

Passive Scanner Alpha v42.0.0

Would you like to help fix this issue?

  • Yes
@fzx404 fzx404 added the bug label Aug 2, 2024
@thc202 thc202 removed the bug label Aug 2, 2024
@kingthorin
Copy link
Member

With some quick research I did find that it always literally starts with $S followed to upper/lower alpha-numeric plus /. 52 char. So the regex could be better, there's probably a number of content/file types that can be ignored or excluded like the core hash rule.

@kingthorin kingthorin transferred this issue from zaproxy/zaproxy Aug 5, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Development

No branches or pull requests

3 participants