Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive Dangerous JS Functions regex eval in HTTP Header

See original GitHub issue

Describe the bug

When scanning with ZAP there is a test for the use of JavaScript eval which according to Mozilla should never ever be used. The regex to test for this vulnerability is pretty good but I found a case where the regex is searching in an inappropriate place namely the HTTP Response Header. As far as I know it’s not possible to run JavaScript directly in the HTTP Response header. Would it be possible to limit the search of the regex to <script> tags and .js files to reduce the number of false positives?

Steps to reproduce the behavior

Scan an application with a HTTP Reponse header cache-control: must-revalidate ZAP will return the alert Dangerous JS Function and highlight the word eval in the word revalidate

Expected behavior

Would expect ZAP to skip checking the HTTP Response Header as there is no possibility to execute JavaScript from the Response Header directly and not throw the alert.

Software versions

OWASP ZAP
Version: D-2022-04-11
---
Installed Add-ons: [[id=accessControl, version=8.0.0],
[id=alertFilters, version=14.0.0], [id=amf, version=3.0.0],
[id=ascanrules, version=47.0.0], [id=ascanrulesAlpha,
version=38.0.0], [id=ascanrulesBeta, version=41.0.0],
[id=attacksurfacedetector, version=1.1.4], [id=authstats,
version=2.0.0], [id=automation, version=0.15.0],
[id=browserView, version=5.0.0], [id=bruteforce,
version=12.0.0], [id=callgraph, version=5.0.0],
[id=callhome, version=0.4.0], [id=commonlib,
version=1.10.0], [id=coreLang, version=16.0.0],
[id=custompayloads, version=0.11.0], [id=diff,
version=12.0.0], [id=directorylistv1, version=6.0.0],
[id=directorylistv2_3, version=4.0.0],
[id=directorylistv2_3_lc, version=4.0.0], [id=domxss,
version=13.0.0], [id=encoder, version=0.7.0], [id=exim,
version=0.2.0], [id=fileupload, version=1.1.0],
[id=formhandler, version=5.0.0], [id=fuzz, version=13.7.0],
[id=fuzzdb, version=8.0.0], [id=gettingStarted,
version=14.0.0], [id=graaljs, version=0.3.0], [id=graphql,
version=0.10.0], [id=help, version=15.0.0], [id=hud,
version=0.14.0], [id=imagelocationscanner, version=3.0.0],
[id=importurls, version=9.0.0], [id=invoke, version=12.0.0],
[id=jsonview, version=2.0.0], [id=jwt, version=1.0.2],
[id=network, version=0.3.0], [id=oast, version=0.11.0],
[id=onlineMenu, version=10.0.0], [id=openapi,
version=28.0.0], [id=plugnhack, version=13.0.0],
[id=portscan, version=10.0.0], [id=pscanrules,
version=41.0.0], [id=pscanrulesAlpha, version=35.0.0],
[id=pscanrulesBeta, version=30.0.0], [id=quickstart,
version=34.0.0], [id=reflect, version=0.0.11],
[id=regextester, version=2.0.0], [id=replacer,
version=10.0.0], [id=reports, version=0.14.0],
[id=requester, version=5.0.0], [id=retest, version=0.3.0],
[id=retire, version=0.11.0], [id=reveal, version=5.0.0],
[id=revisit, version=4.0.0], [id=saml, version=9.0.0],
[id=scripts, version=31.0.0], [id=selenium, version=15.9.0],
[id=sequence, version=7.0.0], [id=soap, version=14.0.0],
[id=spiderAjax, version=23.8.0], [id=sqliplugin,
version=15.0.0], [id=tips, version=10.0.0], [id=tokengen,
version=15.0.0], [id=treetools, version=8.0.0],
[id=viewstate, version=3.0.0], [id=wappalyzer,
version=21.9.0], [id=webdriverlinux, version=37.0.0],
[id=webdrivermacos, version=38.0.0], [id=webdriverwindows,
version=37.0.0], [id=websocket, version=26.0.0], [id=zest,
version=36.0.0]]
---
Operating System: Windows 10
Java Version: BellSoft 11.0.13
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
ZAP Home Directory: C:\Users\$USER\OWASP ZAP_D\
ZAP Installation Directory: C:\Users\$USER\LocalPrograms\ZAPWeekly\ZAP_D-2022-04-11\.\
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

Screenshots

Errors from the zap.log file

2022-04-13 14:15:21,174 [ZAP-BootstrapGUI] INFO ExtensionPassiveScan - loaded passive scan rule: Dangerous JS Functions

Additional context

there is a wider issue with the eval regex as a JavaScript Function has a specific syntax so possibly could be tuned even further. function eval ( ) and function GlobalEval ( )

Would you like to help fix this issue?

Issue Analytics

State:
Created a year ago
Comments:14 (9 by maintainers)

Top GitHub Comments

1reaction

globeonecommented, Apr 13, 2022

The body is 1812 lines so it was more difficult to find the eval in the body in ZAP. and, thanks indeed, ZAP is proving its value every day!

1reaction

psiinoncommented, Apr 13, 2022

Oh good! Good that rule isnt broken and that it helped you find a vuln 😄

Top Results From Across the Web

5 ways to prevent code injection in JavaScript and Node.js

Learn some best practices for keeping your Node.js and JavaScript projects safe from code injection attacks.

eval() - JavaScript - MDN Web Docs - Mozilla

The eval() function evaluates JavaScript code represented as a string and returns its completion value. The source is parsed as a script.

JavaScript regex is giving false positives - Stack Overflow

The problem here is that you're using the g (global) modifier in your regex. Run this code in your JS console to check...

Threats of Using Regular Expressions in JavaScript

This will evaluate to false because the regular expression is vulnerable to catastrophic backtracking.

Static Analysis of Client-Side JavaScript for pen testers and ...

Broadly speaking, we can identify secrets in source code files using either regex or entropy. Regex search will be able to identify credentials ......