diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index 7ed91f12f27..256c00cbfd2 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Depends on an updated version of the Common Library add-on. - The following scan rules and their alerts have been renamed to clarify that they're time based (Issue 7341). - SQL Injection - MsSQL + - SQL Injection - MySQL - SQL Injection - Hypersonic ### Added diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRule.java similarity index 92% rename from addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java rename to addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRule.java index 6685c24170b..dec5c1ce595 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRule.java @@ -24,7 +24,6 @@ import java.util.Collections; import java.util.HashMap; import java.util.Iterator; -import java.util.LinkedHashMap; import java.util.List; import java.util.Map; import java.util.concurrent.atomic.AtomicReference; @@ -44,11 +43,11 @@ import org.zaproxy.zap.model.TechSet; /** - * The SqlInjectionMySqlScanRule identifies MySQL specific SQL Injection vulnerabilities using MySQL - * specific syntax. If it doesn't use MySQL specific syntax, it belongs in the generic SQLInjection - * class! Note the ordering of checks, for efficiency is : 1) Error based (N/A) 2) Boolean Based - * (N/A - uses standard syntax) 3) UNION based (N/A - uses standard syntax) 4) Stacked (N/A - uses - * standard syntax) 5) Blind/Time Based (Yes - uses specific syntax) + * This scan rule identifies MySQL specific SQL Injection vulnerabilities using MySQL specific + * syntax. If it doesn't use MySQL specific syntax, it belongs in the generic SQLInjection class! + * Note the ordering of checks, for efficiency is : 1) Error based (N/A) 2) Boolean Based (N/A - + * uses standard syntax) 3) UNION based (N/A - uses standard syntax) 4) Stacked (N/A - uses standard + * syntax) 5) Blind/Time Based (Yes - uses specific syntax) * *

See the following for some great MySQL specific tricks which could be integrated here * http://www.websec.ca/kb/sql_injection#MySQL_Stacked_Queries @@ -56,7 +55,7 @@ * * @author 70pointer */ -public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin +public class SqlInjectionMySqlTimingScanRule extends AbstractAppParamPlugin implements CommonActiveScanRuleInfo { /** MySQL one-line comment */ @@ -65,21 +64,6 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin private static final String ORIG_VALUE_TOKEN = "<<<>>>"; private static final String SLEEP_TOKEN = "<<<>>>"; - /** - * create a map of SQL related error message fragments, and map them back to the RDBMS that they - * are associated with keep the ordering the same as the order in which the values are inserted, - * to allow the more (subjectively judged) common cases to be tested first Note: these should - * represent actual (driver level) error messages for things like syntax error, otherwise we are - * simply guessing that the string should/might occur. - */ - private static final Map SQL_ERROR_TO_DBMS = new LinkedHashMap<>(); - - static { - SQL_ERROR_TO_DBMS.put("com.mysql.jdbc.exceptions", "MySQL"); - SQL_ERROR_TO_DBMS.put("org.gjt.mm.mysql", "MySQL"); - // Note: only MYSQL mappings here. - } - /** MySQL specific time based injection strings. */ // Note: <<<>>> is replaced with the original parameter value at runtime in these @@ -231,7 +215,8 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin } /** for logging. */ - private static final Logger LOGGER = LogManager.getLogger(SqlInjectionMySqlScanRule.class); + private static final Logger LOGGER = + LogManager.getLogger(SqlInjectionMySqlTimingScanRule.class); private int timeSleepSeconds = DEFAULT_SLEEP_TIME; diff --git a/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html b/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html index 4d849957b70..e5e83552da3 100644 --- a/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html +++ b/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html @@ -386,7 +386,7 @@

SQL Injection - MySQL (Time Based)


Post 2.5.0 you can change the length of time used for the attack by changing the rules.common.sleep parameter via the Options 'Rule configuration' panel.

-Latest code: SqlInjectionMySqlScanRule.java +Latest code: SqlInjectionMySqlTimingScanRule.java
Alert ID: 40019. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties index 921c22b5ac6..8f1c36050aa 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties @@ -183,7 +183,7 @@ ascanrules.sqlinjection.desc = SQL injection may be possible. ascanrules.sqlinjection.hypersonic.name = SQL Injection - Hypersonic SQL (Time Based) ascanrules.sqlinjection.mssql.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.mssql.name = SQL Injection - MsSQL (Time Based) -ascanrules.sqlinjection.mysql.name = SQL Injection - MySQL +ascanrules.sqlinjection.mysql.name = SQL Injection - MySQL (Time Based) ascanrules.sqlinjection.name = SQL Injection ascanrules.sqlinjection.oracle.name = SQL Injection - Oracle ascanrules.sqlinjection.postgres.name = SQL Injection - PostgreSQL diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRuleUnitTest.java similarity index 95% rename from addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java rename to addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRuleUnitTest.java index 609831b7237..994a2aaa429 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRuleUnitTest.java @@ -38,12 +38,13 @@ import org.zaproxy.zap.model.TechSet; import org.zaproxy.zap.testutils.NanoServerHandler; -/** Unit test for {@link SqlInjectionMySqlScanRule}. */ -class SqlInjectionMySqlScanRuleUnitTest extends ActiveScannerTest { +/** Unit test for {@link SqlInjectionMySqlTimingScanRule}. */ +class SqlInjectionMySqlTimingScanRuleUnitTest + extends ActiveScannerTest { @Override - protected SqlInjectionMySqlScanRule createScanner() { - return new SqlInjectionMySqlScanRule(); + protected SqlInjectionMySqlTimingScanRule createScanner() { + return new SqlInjectionMySqlTimingScanRule(); } @Test