-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firing Range: Fix All Reverse ClickJacking results #7125
Comments
If anyone else is not already working on this can I pick this up? |
It's all yours 👍 |
I researched about this and I don't think this will be possible in the already existing scan rule Anti-clickjacking Header, I think we can create another ascanrule called Universal Reverse ClickJacking or Same Origin Method Execution. Here are the POCs for firing range: Here's the approach:
Let me know if this sounds good or if anyone else has any ideas. |
Sounds good to me. |
No we won't be attacking that request, let me explain: When you open this link we have a fragmented parameter |
Oh nice - look forward to your PR 😁 |
We run ZAP against Google Firing Range (FR) using a scheduled task and publish the results on https://www.zaproxy.org/docs/scans/firingrange/
There are currently 4 False Negatives, and it looks like they are all closely related and so hopefully one code change will fix all of them.
For more information about improving scan rules see https://www.zaproxy.org/docs/contribute/scan-rules/
In this case the relevant scan rule is linked to from each test.
As always all PRs should include full unit tests.
It is possible that some of the FR tests are no longer valid due to browser security improvements. If you believe this to be the case then please let us know and we will do our best to confirm that.
The text was updated successfully, but these errors were encountered: