Added if statements to ensure one sendandreceive is called based on status of redirect

Author: bkollmar

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java

@@ -244,7 +244,7 @@ private void efficientScan(HttpMessage msg, String paramName, String value) {
         }
 
         if (hasSuspectBehaviourWithPolyglot(paramName, inputPoint)) {
-            searchForMathsExecution(paramName, inputPoint, false);
+            searchForMathsExecution(paramName, msg, inputPoint, false);
         }
     }
 
@@ -291,7 +291,7 @@ private void reliableScan(HttpMessage msg, String paramName, String value, boole
             return;
         }
 
-        searchForMathsExecution(paramName, inputPoint, fixSyntax);
+        searchForMathsExecution(paramName, msg, inputPoint, fixSyntax);
     }
 
     /**
@@ -346,11 +346,28 @@ private boolean hasSuspectBehaviourWithPolyglot(String paramName, InputPoint inp
      * @param fixSyntax declares if should use several prefixes to fix a possible syntax error
      */
     private void searchForMathsExecution(
-            String paramName, InputPoint inputPoint, boolean fixSyntax) {
+            String paramName, HttpMessage msg, InputPoint inputPoint, boolean fixSyntax) {
         ArrayList<SinkPoint> sinksToTest = new ArrayList<>(inputPoint.getSinkPoints());
         boolean found = false;
         String[] codeFixPrefixes = {""};
         String templateFixingPrefix;
+        HttpMessage testMessage = msg.cloneRequest();
+
+        // First request - Do not follow redirects
+        testMessage.getRequestHeader().setHeader("Follow-Redirects", "false");
+        try {
+            sendAndReceive(testMessage, false);
+        } catch (SocketException ex) {
+            LOGGER.debug("Caught {} {}", ex.getClass().getName(), ex.getMessage());
+        } catch (IOException ex) {
+            LOGGER.warn(
+                    "SSTI vulnerability check failed for parameter [{}]  due to an I/O error",
+                    paramName,
+                    ex);
+        }
+
+        int statusCode = testMessage.getResponseHeader().getStatusCode();
+        String redirectUrl = testMessage.getResponseHeader().getHeader("Location");
 
         if (fixSyntax) {
             codeFixPrefixes = WAYS_TO_FIX_CODE_SYNTAX;
@@ -368,7 +385,6 @@ private void searchForMathsExecution(
                 if (isStop() || found) {
                     break;
                 }
-
                 List<String> payloadsAndResults = sstiPayload.getRenderTestAndResult();
                 List<String> renderExpectedResults =
                         payloadsAndResults.subList(1, payloadsAndResults.size());
@@ -392,45 +408,88 @@ private void searchForMathsExecution(
                 try {
 
                     HttpMessage newMsg = getNewMsg();
+
                     setParameter(newMsg, paramName, renderTest);
-                    sendAndReceive(newMsg, false);
-
-                    for (SinkPoint sink : sinksToTest) {
-
-                        String output = sink.getCurrentStateInString(newMsg, paramName, renderTest);
-
-                        for (String renderResult : renderExpectedResults) {
-                            // Some rendering tests add html tags so we can not only search for
-                            // the delimiters with the arithmetic result inside. Regex searches
-                            // may be expensive, so first we check if the result exist in the
-                            // response and only then we check if it inside the delimiters and
-                            // was originated by our payload.
-                            String regex =
-                                    "[\\w\\W]*"
-                                            + DELIMITER
-                                            + ".*"
-                                            + renderResult
-                                            + ".*"
-                                            + DELIMITER
-                                            + "[\\w\\W]*";
-
-                            if (output.contains(renderResult)
-                                    && output.matches(regex)
-                                    && sstiPayload.engineSpecificCheck(regex, output, renderTest)) {
-
-                                String attack = getOtherInfo(sink.getLocation(), output);
-
-                                createAlert(
-                                                newMsg.getRequestHeader().getURI().toString(),
-                                                paramName,
-                                                renderTest,
-                                                attack)
-                                        .setMessage(newMsg)
-                                        .raise();
-                                found = true;
+                    if (!(statusCode >= 300 && statusCode < 400 && redirectUrl != null)) {
+                        sendAndReceive(newMsg, false);
+
+                        for (SinkPoint sink : sinksToTest) {
+
+                            String output = sink.getCurrentStateInString(newMsg, paramName, renderTest);
+
+                            for (String renderResult : renderExpectedResults) {
+                                // Some rendering tests add html tags so we can not only search for
+                                // the delimiters with the arithmetic result inside. Regex searches
+                                // may be expensive, so first we check if the result exist in the
+                                // response and only then we check if it inside the delimiters and
+                                // was originated by our payload.
+                                String regex =
+                                        "[\\w\\W]*"
+                                                + DELIMITER
+                                                + ".*"
+                                                + renderResult
+                                                + ".*"
+                                                + DELIMITER
+                                                + "[\\w\\W]*";
+
+                                if (output.contains(renderResult)
+                                        && output.matches(regex)
+                                        && sstiPayload.engineSpecificCheck(regex, output, renderTest)) {
+
+                                    String attack = getOtherInfo(sink.getLocation(), output);
+
+                                    createAlert(
+                                                    newMsg.getRequestHeader().getURI().toString(),
+                                                    paramName,
+                                                    renderTest,
+                                                    attack)
+                                            .setMessage(newMsg)
+                                            .raise();
+                                    found = true;
+                                }
                             }
                         }
                     }
+                    if (statusCode >= 300 && statusCode < 400 && redirectUrl != null) {
+                        sendAndReceive(newMsg, true);
+                        for (SinkPoint sink : sinksToTest) {
+
+                            String output = sink.getCurrentStateInString(newMsg, paramName, renderTest);
+
+                            for (String renderResult : renderExpectedResults) {
+                                // Some rendering tests add html tags so we can not only search for
+                                // the delimiters with the arithmetic result inside. Regex searches
+                                // may be expensive, so first we check if the result exist in the
+                                // response and only then we check if it inside the delimiters and
+                                // was originated by our payload.
+                                String regex =
+                                        "[\\w\\W]*"
+                                                + DELIMITER
+                                                + ".*"
+                                                + renderResult
+                                                + ".*"
+                                                + DELIMITER
+                                                + "[\\w\\W]*";
+
+                                if (output.contains(renderResult)
+                                        && output.matches(regex)
+                                        && sstiPayload.engineSpecificCheck(regex, output, renderTest)) {
+
+                                    String attack = getOtherInfo(sink.getLocation(), output);
+
+                                    createAlert(
+                                                    newMsg.getRequestHeader().getURI().toString(),
+                                                    paramName,
+                                                    renderTest,
+                                                    attack)
+                                            .setMessage(newMsg)
+                                            .raise();
+                                    found = true;
+                                }
+                            }
+                        }
+                }
+                    
                 } catch (SocketException ex) {
                     LOGGER.debug("Caught {} {}", ex.getClass().getName(), ex.getMessage());
                 } catch (IOException ex) {

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java

@@ -67,7 +67,7 @@ protected int getRecommendMaxNumberMessagesPerParam(Plugin.AttackStrength streng
             case LOW:
                 return recommendMax;
             case MEDIUM:
-                return recommendMax + 2;
+                return recommendMax + 3;
             case HIGH:
                 return recommendMax;
             case INSANE: