diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
index cb603ea4cd8..6b72cf8ff0c 100644
--- a/addOns/ascanrules/CHANGELOG.md
+++ b/addOns/ascanrules/CHANGELOG.md
@@ -25,6 +25,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- The Cloud Metadata Potentially Exposed scan rules now has a CWE reference.
- Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag.
- The XPath Injection scan rule now supports error patterns provided via the Custom Payloads add-on (Issue 8958). A minimum of Custom Payloads 0.15.0 is required to take advantage of this optional functionality.
+- The Cross Site Scripting scan rule has been updated for additional coverage of JavaScript eval situations.
## [72] - 2025-06-20
### Added
diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java
index f75bb8d95a7..84b3b37c90c 100644
--- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java
+++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java
@@ -74,6 +74,7 @@ public class CrossSiteScriptingScanRule extends AbstractAppParamPlugin
ALERT_TAGS = Collections.unmodifiableMap(alertTags);
}
+ protected static final String GENERIC_ALERT = "alert(1)";
protected static final String GENERIC_SCRIPT_ALERT = "";
protected static final String GENERIC_ONERROR_ALERT = "
";
protected static final String IMG_ONERROR_LOG = "";
@@ -729,6 +730,12 @@ private boolean performScriptAttack(HtmlContext context, HttpMessage msg, String
return true;
}
}
+ List contexts3 = performAttack(msg, param, GENERIC_ALERT, null, 0);
+ if (contexts3 != null && !contexts3.isEmpty()) {
+ if (processContexts(contexts3, param, GENERIC_ALERT, false)) {
+ return true;
+ }
+ }
return false;
}
diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java
index 8b28fe6147f..84d754d0fb5 100644
--- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java
+++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java
@@ -2670,6 +2670,41 @@ protected Response serve(IHTTPSession session) {
assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
}
+ @Test
+ void shouldReportXssInSriptAttackInEval() throws NullPointerException, IOException {
+ // Given
+ String test = "/shouldReportXssInSriptAttackInEval/";
+
+ this.nano.addHandler(
+ new NanoServerHandler(test) {
+ @Override
+ protected Response serve(IHTTPSession session) {
+ String q = getFirstParamValue(session, "q");
+ String response;
+ if (q != null) {
+ // Make the eye catchers fail
+ response = getHtml(
+ "InputInScriptEval.html",
+ new String[][] {{"q", q}});
+ } else {
+ response = getHtml("NoInput.html");
+ }
+ return newFixedLengthResponse(response);
+ }
+ });
+
+ HttpMessage msg = this.getHttpMessage(test + "?q=sample");
+ this.rule.setConfig(new ZapXmlConfiguration());
+ // When
+ this.rule.init(msg, this.parent);
+ this.rule.scan();
+ // Then
+ assertThat(alertsRaised.size(), equalTo(1));
+ assertThat(alertsRaised.get(0).getParam(), equalTo("q"));
+ assertThat(alertsRaised.get(0).getAttack(), containsString("alert(1)"));
+ assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
+ }
+
@Override
protected Path getResourcePath(String resourcePath) {
return super.getResourcePath("crosssitescriptingscanrule/" + resourcePath);
diff --git a/addOns/ascanrules/src/test/resources/org/zaproxy/zap/extension/ascanrules/crosssitescriptingscanrule/InputInScriptEval.html b/addOns/ascanrules/src/test/resources/org/zaproxy/zap/extension/ascanrules/crosssitescriptingscanrule/InputInScriptEval.html
new file mode 100644
index 00000000000..9f68b11c538
--- /dev/null
+++ b/addOns/ascanrules/src/test/resources/org/zaproxy/zap/extension/ascanrules/crosssitescriptingscanrule/InputInScriptEval.html
@@ -0,0 +1,7 @@
+
+
+
+
+
\ No newline at end of file