zaproxy
diff --git a/‎addOns/ascanrules/CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions b/‎addOns/ascanrules/CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java‎
Lines changed: 16 additions & 44 deletions b/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java‎
Lines changed: 16 additions & 44 deletions
diff --git a/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionTimingScanRule.java‎
Lines changed: 2 additions & 1 deletion b/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionTimingScanRule.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicTimingScanRule.java‎
Lines changed: 36 additions & 24 deletions b/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicTimingScanRule.java‎
Lines changed: 36 additions & 24 deletions
diff --git a/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlTimingScanRule.java‎
Lines changed: 1 addition & 5 deletions b/‎addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlTimingScanRule.java‎
Lines changed: 1 addition & 5 deletions
@@ -15,6 +15,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
     - SQL Injection - SQLite
     - SQL Injection - PostgreSQL
 - The Remote OS Command Injection scan rule has been broken into two rules; one feedback based, and one time based (Issue 7341). This includes assigning the time based rule ID 90037.
+- For Alerts raised by the SQL Injection scan rules the Attack field values are now simply the payload, not an assembled description.
+- Maintenance changes.
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
 
@@ -56,7 +56,6 @@
 public class CommandInjectionScanRule extends AbstractAppParamPlugin
         implements CommonActiveScanRuleInfo {
 
-    /** Prefix for internationalised messages used by this rule */
     static final String MESSAGE_PREFIX = "ascanrules.commandinjection.";
 
     // *NIX OS Command constants
@@ -220,10 +219,8 @@ public class CommandInjectionScanRule extends AbstractAppParamPlugin
         NIX_OS_PAYLOADS.put("&&" + insertedCMD + NULL_BYTE_CHARACTER, NIX_CTRL_PATTERN);
     }
 
-    // Logger instance
     private static final Logger LOGGER = LogManager.getLogger(CommandInjectionScanRule.class);
 
-    // Get WASC Vulnerability description
     private static final Vulnerability VULN = Vulnerabilities.getDefault().get("wasc_31");
 
     @Override
@@ -238,12 +235,9 @@ public String getName() {
 
     @Override
     public boolean targets(TechSet technologies) {
-        if (technologies.includes(Tech.Linux)
+        return technologies.includes(Tech.Linux)
                 || technologies.includes(Tech.MacOS)
-                || technologies.includes(Tech.Windows)) {
-            return true;
-        }
-        return false;
+                || technologies.includes(Tech.Windows);
     }
 
     @Override
@@ -295,40 +289,23 @@ public int getRisk() {
      */
     @Override
     public void scan(HttpMessage msg, String paramName, String value) {
-
-        // Begin scan rule execution
         LOGGER.debug(
                 "Checking [{}][{}], parameter [{}] for OS Command Injection Vulnerabilities",
                 msg.getRequestHeader().getMethod(),
                 msg.getRequestHeader().getURI(),
                 paramName);
 
-        // Number of targets to try
-        int targetCount = 0;
-
-        switch (this.getAttackStrength()) {
-            case LOW:
-                targetCount = 3;
-                break;
-
-            case MEDIUM:
-                targetCount = 7;
-                break;
-
-            case HIGH:
-                targetCount = 13;
-                break;
-
-            case INSANE:
-                targetCount =
-                        Math.max(
-                                PS_PAYLOADS.size(),
-                                (Math.max(NIX_OS_PAYLOADS.size(), WIN_OS_PAYLOADS.size())));
-                break;
-
-            default:
-                // Default to off
-        }
+        int targetCount =
+                switch (this.getAttackStrength()) {
+                    case LOW -> 3;
+                    case MEDIUM -> 7;
+                    case HIGH -> 13;
+                    case INSANE ->
+                            Math.max(
+                                    PS_PAYLOADS.size(),
+                                    Math.max(NIX_OS_PAYLOADS.size(), WIN_OS_PAYLOADS.size()));
+                    default -> 0; // Default to "off"
+                };
 
         if (inScope(Tech.Linux) || inScope(Tech.MacOS)) {
             if (testCommandInjection(paramName, value, targetCount, NIX_OS_PAYLOADS)) {
@@ -392,7 +369,6 @@ private boolean testCommandInjection(
             LOGGER.debug("Testing [{}] = [{}]", paramName, paramValue);
 
             try {
-                // Send the request and retrieve the response
                 try {
                     sendAndReceive(msg, false);
                 } catch (SocketException ex) {
@@ -413,8 +389,6 @@ private boolean testCommandInjection(
 
                 Matcher matcher = osPayloads.get(payload).matcher(content);
                 if (matcher.find()) {
-                    // We Found IT!
-                    // First do logging
                     LOGGER.debug(
                             "[OS Command Injection Found] on parameter [{}] with value [{}]",
                             paramName,
@@ -435,8 +409,6 @@ private boolean testCommandInjection(
                         ex);
             }
             if (isStop()) {
-                // Dispose all resources
-                // Exit the scan rule
                 return false;
             }
         }
@@ -458,11 +430,11 @@ static String insertUninitVar(String cmd) {
         for (int i = 1; i < varLength; ++i) {
             array[i] = (char) ThreadLocalRandom.current().nextInt(97, 123);
         }
-        String var = new String(array);
+        String variable = new String(array);
 
         // insert variable before each space and '/' in the path
-        return cmd.replaceAll("\\s", Matcher.quoteReplacement(var + " "))
-                .replaceAll("\\/", Matcher.quoteReplacement(var + "/"));
+        return cmd.replaceAll("\\s", Matcher.quoteReplacement(variable + " "))
+                .replaceAll("\\/", Matcher.quoteReplacement(variable + "/"));
     }
 
     AlertBuilder buildAlert(String param, String attack, String evidence, HttpMessage msg) {
 
@@ -27,6 +27,7 @@
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import org.apache.commons.configuration.ConversionException;
 import org.apache.logging.log4j.LogManager;
@@ -268,7 +269,7 @@ private boolean testCommandInjection(
                         LOGGER.debug("Testing [{}] = [{}]", paramName, finalPayload);
 
                         sendAndReceive(msg, false);
-                        return msg.getTimeElapsedMillis() / 1000.0;
+                        return TimeUnit.MILLISECONDS.toSeconds(msg.getTimeElapsedMillis());
                     };
 
             boolean isInjectable;
 
@@ -26,6 +26,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import org.apache.commons.configuration.ConversionException;
 import org.apache.logging.log4j.LogManager;
@@ -70,6 +71,9 @@
 public class SqlInjectionHypersonicTimingScanRule extends AbstractAppParamPlugin
         implements CommonActiveScanRuleInfo {
 
+    private static final String DEFAULT_FROM_AND_WHERE =
+            " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME'";
+
     /** Hypersonic one-line comment */
     public static final String SQL_ONE_LINE_COMMENT = " -- ";
 
@@ -100,19 +104,19 @@ public class SqlInjectionHypersonicTimingScanRule extends AbstractAppParamPlugin
             List.of(
                     "; select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME'"
+                            + DEFAULT_FROM_AND_WHERE
                             + SQL_ONE_LINE_COMMENT,
                     "'; select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME'"
+                            + DEFAULT_FROM_AND_WHERE
                             + SQL_ONE_LINE_COMMENT,
                     "\"; select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME'"
+                            + DEFAULT_FROM_AND_WHERE
                             + SQL_ONE_LINE_COMMENT,
                     "); select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME'"
+                            + DEFAULT_FROM_AND_WHERE
                             + SQL_ONE_LINE_COMMENT,
                     SQL_HYPERSONIC_TIME_FUNCTION,
                     ORIG_VALUE_TOKEN + " / " + SQL_HYPERSONIC_TIME_FUNCTION + " ",
@@ -121,42 +125,50 @@ public class SqlInjectionHypersonicTimingScanRule extends AbstractAppParamPlugin
                     ORIG_VALUE_TOKEN
                             + " and exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere
                     ORIG_VALUE_TOKEN
                             + "' and exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere
                     ORIG_VALUE_TOKEN
                             + "\" and exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere
                     ORIG_VALUE_TOKEN
                             + ") and exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere
                     ORIG_VALUE_TOKEN
                             + " or exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere
                     ORIG_VALUE_TOKEN
                             + "' or exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere
                     ORIG_VALUE_TOKEN
                             + "\" or exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT, // Param in WHERE clause somewhere
                     ORIG_VALUE_TOKEN
                             + ") or exists ( select "
                             + SQL_HYPERSONIC_TIME_FUNCTION
-                            + " from INFORMATION_SCHEMA.SYSTEM_COLUMNS where TABLE_NAME = 'SYSTEM_COLUMNS' and COLUMN_NAME = 'TABLE_NAME')"
+                            + DEFAULT_FROM_AND_WHERE
+                            + ")"
                             + SQL_ONE_LINE_COMMENT // Param in WHERE clause somewhere
                     );
 
@@ -288,14 +300,17 @@ public void scan(HttpMessage originalMessage, String paramName, String paramValu
                                 sleepPayload
                                         .replace(ORIG_VALUE_TOKEN, paramValue)
                                         // Time in milliseconds for the SQL function.
-                                        .replace(SLEEP_TOKEN, Integer.toString(((int) x) * 1000));
+                                        .replace(
+                                                SLEEP_TOKEN,
+                                                String.valueOf(
+                                                        TimeUnit.SECONDS.toMillis((long) x)));
 
                         setParameter(msg, paramName, finalPayload);
                         LOGGER.debug("Testing [{}] = [{}]", paramName, finalPayload);
                         attack.compareAndSet(null, finalPayload);
 
                         sendAndReceive(msg, false);
-                        return msg.getTimeElapsedMillis() / 1000.0;
+                        return TimeUnit.MILLISECONDS.toSeconds(msg.getTimeElapsedMillis());
                     };
 
             try {
@@ -313,21 +328,18 @@ public void scan(HttpMessage originalMessage, String paramName, String paramValu
                             paramName,
                             attack.get());
 
-                    String extraInfo =
-                            Constant.messages.getString(
-                                    "ascanrules.sqlinjection.alert.timebased.extrainfo",
-                                    attack.get(),
-                                    message.get().getTimeElapsedMillis(),
-                                    paramValue,
-                                    getBaseMsg().getTimeElapsedMillis());
-
                     newAlert()
                             .setConfidence(Alert.CONFIDENCE_MEDIUM)
-                            .setName(getName() + " - Time Based")
                             .setUri(getBaseMsg().getRequestHeader().getURI().toString())
                             .setParam(paramName)
                             .setAttack(attack.get())
-                            .setOtherInfo(extraInfo)
+                            .setOtherInfo(
+                                    Constant.messages.getString(
+                                            "ascanrules.sqlinjection.alert.timebased.extrainfo",
+                                            attack.get(),
+                                            message.get().getTimeElapsedMillis(),
+                                            paramValue,
+                                            getBaseMsg().getTimeElapsedMillis()))
                             .setMessage(message.get())
                             .raise();
                     break;
 
@@ -133,7 +133,6 @@ public class SqlInjectionMsSqlTimingScanRule extends AbstractAppParamPlugin
     private static final double TIME_CORRELATION_ERROR_RANGE = 0.15;
     private static final double TIME_SLOPE_ERROR_RANGE = 0.30;
 
-    /** for logging. */
     private static final Logger LOGGER =
             LogManager.getLogger(SqlInjectionMsSqlTimingScanRule.class);
 
@@ -201,7 +200,6 @@ public String getReference() {
     public void init() {
         LOGGER.debug("Initialising");
 
-        // set up what we are allowed to do, depending on the attack strength that was set.
         if (this.getAttackStrength() == AttackStrength.LOW) {
             blindTargetCount = 6;
         } else if (this.getAttackStrength() == AttackStrength.MEDIUM) {
@@ -212,7 +210,6 @@ public void init() {
             blindTargetCount = SQL_MSSQL_TIME_REPLACEMENTS.size();
         }
 
-        // Read the sleep value from the configs
         try {
             this.timeSleepSeconds =
                     this.getConfig()
@@ -225,7 +222,6 @@ public void init() {
         LOGGER.debug("Sleep set to {} seconds", timeSleepSeconds);
     }
 
-    /** scans for SQL Injection vulnerabilities, using MsSQL specific syntax. */
     @Override
     public void scan(HttpMessage originalMessage, String paramName, String paramValue) {
         LOGGER.debug(
@@ -255,7 +251,7 @@ public void scan(HttpMessage originalMessage, String paramName, String paramValu
                         attack.compareAndSet(null, finalPayload);
 
                         sendAndReceive(msg, false);
-                        return msg.getTimeElapsedMillis() / 1000.0;
+                        return TimeUnit.MILLISECONDS.toSeconds(msg.getTimeElapsedMillis());
                     };
 
             try {