File tree Expand file tree Collapse file tree 1 file changed +38
-0
lines changed
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules Expand file tree Collapse file tree 1 file changed +38
-0
lines changed Original file line number Diff line number Diff line change @@ -431,6 +431,44 @@ private void searchForMathsExecution(
431431 }
432432 }
433433 }
434+ sendAndReceive (newMsg , true );
435+ for (SinkPoint sink : sinksToTest ) {
436+
437+ String output = sink .getCurrentStateInString (newMsg , paramName , renderTest );
438+
439+ for (String renderResult : renderExpectedResults ) {
440+ // Some rendering tests add html tags so we can not only search for
441+ // the delimiters with the arithmetic result inside. Regex searches
442+ // may be expensive, so first we check if the result exist in the
443+ // response and only then we check if it inside the delimiters and
444+ // was originated by our payload.
445+ String regex =
446+ "[\\ w\\ W]*"
447+ + DELIMITER
448+ + ".*"
449+ + renderResult
450+ + ".*"
451+ + DELIMITER
452+ + "[\\ w\\ W]*" ;
453+
454+ if (output .contains (renderResult )
455+ && output .matches (regex )
456+ && sstiPayload .engineSpecificCheck (regex , output , renderTest )) {
457+
458+ String attack = getOtherInfo (sink .getLocation (), output );
459+
460+ createAlert (
461+ newMsg .getRequestHeader ().getURI ().toString (),
462+ paramName ,
463+ renderTest ,
464+ attack )
465+ .setMessage (newMsg )
466+ .raise ();
467+ found = true ;
468+ }
469+ }
470+ }
471+
434472 } catch (SocketException ex ) {
435473 LOGGER .debug ("Caught {} {}" , ex .getClass ().getName (), ex .getMessage ());
436474 } catch (IOException ex ) {
You can’t perform that action at this time.
0 commit comments