Not stopping JWT active scanner on finding client side vulnerability

SasanLabs · Nov 24, 2020 · 161140e · 161140e
1 parent 4c3022b
commit 161140e
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/src/main/java/org/zaproxy/zap/extension/jwt/JWTActiveScanRule.java b/src/main/java/org/zaproxy/zap/extension/jwt/JWTActiveScanRule.java
@@ -68,7 +68,7 @@ public void init() {
                 maxRequestCount = 8;
                 break;
             case HIGH:
-                maxRequestCount = 12;
+                maxRequestCount = 18;
                 break;
             case INSANE:
                 maxRequestCount = 28;
@@ -105,9 +105,7 @@ public void scan(HttpMessage msg, String param, String value) {
         }
 
         if (JWTConfiguration.getInstance().isEnableClientConfigurationScan()) {
-            if (performAttackClientSideConfigurations(msg, param)) {
-                return;
-            }
+            performAttackClientSideConfigurations(msg, param);
             this.decreaseRequestCount();
         }
         performAttackServerSideConfigurations(msg, param, jwtHolder, value);