ascanrulesBeta: Insecure HTTP Method rule - Address potential FP

Signed-off-by: kingthorin <[email protected]>

Author: kingthorin

addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java

@@ -98,6 +98,19 @@ public class InsecureHttpMethodScanRule extends AbstractAppPlugin
         INSECURE_METHODS.addAll(WEBDAV_METHODS);
     }
 
+    private static final Set<String> METHODS_TO_SKIP =
+            Set.of(HttpRequestHeader.GET, HttpRequestHeader.POST, HttpRequestHeader.HEAD);
+
+    /*
+     * Build a list with status codes which indicate that this HTTP method is
+     * enabled but we are not allowed to use it
+     */
+    private static final List<Integer> ENABLED_STATUS_CODES =
+            List.of(
+                    HttpStatusCode.UNAUTHORIZED,
+                    HttpStatusCode.PAYMENT_REQUIRED,
+                    HttpStatusCode.FORBIDDEN);
+
     private static final Map<String, String> ALERT_TAGS;
 
     static {
@@ -150,7 +163,7 @@ public void scan() {
             String thirdpartyHost = "www.google.com";
             int thirdpartyPort = 80;
             Pattern thirdPartyContentPattern =
-                    Pattern.compile("<title.*{1,10}Google.{1,25}/title>", Pattern.CASE_INSENSITIVE);
+                    Pattern.compile("<title.{1,10}Google.{1,25}/title>", Pattern.CASE_INSENSITIVE);
 
             // send an OPTIONS message, and see what the server reports. Do
             // not try any methods not listed in those results.
@@ -191,7 +204,12 @@ public void scan() {
             // Convert the list to a set so that we have a unique list
             Set<String> enabledMethodsSet =
                     new HashSet<>(
-                            Arrays.asList(allowedmethods.toUpperCase(Locale.ROOT).split(",")));
+                            Arrays.stream(allowedmethods.toUpperCase(Locale.ROOT).split(","))
+                                    .map(String::trim) // strip off any leading spaces (it happens!)
+                                    .toList());
+
+            // Remove methods we aren't concerned about
+            enabledMethodsSet.removeAll(METHODS_TO_SKIP);
             if (enabledMethodsSet.contains(HttpRequestHeader.DELETE)) {
                 enabledMethodsSet.remove(
                         HttpRequestHeader
@@ -245,12 +263,6 @@ public void scan() {
                 // rely on the OPTIONS METHOD, but potentially verify the
                 // results, depending on the Threshold.
                 for (String enabledmethod : enabledMethodsSet) {
-                    enabledmethod =
-                            enabledmethod.trim(); // strip off any leading spaces (it happens!)
-                    if (enabledmethod.isEmpty()) {
-                        continue;
-                    }
-
                     LOGGER.debug(
                             "The following enabled method is being checked: '{}'", enabledmethod);
                     String insecureMethod = enabledmethod;
@@ -306,10 +318,9 @@ public void scan() {
 
                     if (raiseAlert) {
                         LOGGER.debug("Raising alert for Insecure HTTP Method");
-
                         newAlert()
                                 .setRisk(riskLevel)
-                                .setConfidence(Alert.CONFIDENCE_MEDIUM)
+                                .setConfidence(Alert.CONFIDENCE_LOW)
                                 .setName(
                                         Constant.messages.getString(
                                                 "ascanbeta.insecurehttpmethod.detailed.name",
@@ -565,16 +576,6 @@ private void testHttpMethod(String httpMethod) throws Exception {
         }
 
         final int responseCode = msg.getResponseHeader().getStatusCode();
-        String evidence = "";
-
-        /*
-         * Build a list with status code which indicate that this HTTP method is
-         * enabled but we are not allowed to use it
-         */
-        final ArrayList<Integer> enabledStatusCodes = new ArrayList<>();
-        enabledStatusCodes.add(HttpStatusCode.UNAUTHORIZED);
-        enabledStatusCodes.add(HttpStatusCode.PAYMENT_REQUIRED);
-        enabledStatusCodes.add(HttpStatusCode.FORBIDDEN);
 
         LOGGER.debug("Request Method: {}", httpMethod);
         LOGGER.debug("Response Code: {}", responseCode);
@@ -584,19 +585,15 @@ private void testHttpMethod(String httpMethod) throws Exception {
             return;
         }
 
-        if (isPage200(msg) || responseCode == HttpStatusCode.CREATED) {
-            evidence =
-                    Constant.messages.getString(
-                            "ascanbeta.insecurehttpmethod.insecure", responseCode);
-        } else if (enabledStatusCodes.contains(responseCode)) {
-            evidence =
+        boolean isEnabledStatus = ENABLED_STATUS_CODES.contains(responseCode);
+        String furtherInfo = "";
+
+        if (isEnabledStatus) {
+            furtherInfo =
                     Constant.messages.getString(
                             "ascanbeta.insecurehttpmethod.potentiallyinsecure", responseCode);
-        } else {
-            return;
         }
 
-        int riskLevel;
         String exploitableDesc;
         String exploitableExtraInfo;
         if (WEBDAV_METHODS.contains(httpMethod)) {
@@ -606,7 +603,6 @@ private void testHttpMethod(String httpMethod) throws Exception {
             exploitableExtraInfo =
                     Constant.messages.getString(
                             "ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo");
-            riskLevel = Alert.RISK_INFO;
         } else {
             exploitableDesc =
                     Constant.messages.getString(
@@ -619,24 +615,24 @@ private void testHttpMethod(String httpMethod) throws Exception {
                             "ascanbeta.insecurehttpmethod."
                                     + httpMethod.toLowerCase()
                                     + ".exploitable.extrainfo");
-
-            riskLevel = Alert.RISK_MEDIUM;
         }
-        try {
 
-            newAlert()
-                    .setRisk(riskLevel)
-                    .setConfidence(Alert.CONFIDENCE_MEDIUM)
-                    .setName(
-                            Constant.messages.getString(
-                                    "ascanbeta.insecurehttpmethod.detailed.name", httpMethod))
-                    .setDescription(exploitableDesc)
-                    .setOtherInfo(exploitableExtraInfo)
-                    .setEvidence(evidence)
-                    .setMessage(msg)
-                    .raise();
-        } catch (Exception e) {
-        }
+        exploitableExtraInfo =
+                StringUtils.isNotEmpty(furtherInfo)
+                        ? furtherInfo + "\n\n" + exploitableExtraInfo
+                        : exploitableExtraInfo;
+
+        newAlert()
+                .setRisk(Alert.RISK_MEDIUM)
+                .setConfidence(isEnabledStatus ? Alert.CONFIDENCE_LOW : Alert.CONFIDENCE_MEDIUM)
+                .setName(
+                        Constant.messages.getString(
+                                "ascanbeta.insecurehttpmethod.detailed.name", httpMethod))
+                .setDescription(exploitableDesc)
+                .setOtherInfo(exploitableExtraInfo)
+                .setEvidence(String.valueOf(responseCode))
+                .setMessage(msg)
+                .raise();
     }
 
     private static String randomAlphanumeric(int count) {

addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties

@@ -93,13 +93,12 @@ ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion o
 ascanbeta.insecurehttpmethod.desc = The insecure HTTP method [{0}] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the 'HttpOnly' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The 'CONNECT' method can be used by a web client to create an HTTP tunnel to third party websites or services.
 ascanbeta.insecurehttpmethod.detailed.name = Insecure HTTP Method - {0}
 ascanbeta.insecurehttpmethod.extrainfo = The OPTIONS method disclosed the following enabled HTTP methods for this resource: [{0}]
-ascanbeta.insecurehttpmethod.insecure = response code {0} for insecure HTTP METHOD
 ascanbeta.insecurehttpmethod.name = Insecure HTTP Method
 ascanbeta.insecurehttpmethod.options.exploitable.desc = This is a diagnostic method and should never be turned on in production mode.
 ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods
 ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource.
 ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html
-ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD
+ascanbeta.insecurehttpmethod.potentiallyinsecure = Received response code {0} for potentially insecure HTTP method. This suggests it is enabled or supported but some control prevented us from actually using it.  
 ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.
 ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html
 ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods.