asacnrules: Hidden files FP when 200s returned for 404s (#6719)

psiinon · web-flow · commit a67eae9259e7 · 2025-09-05T12:32:17.000Z
* asacnrules: Hidden files FP when 200s returned for 404s Fixes zaproxy/zaproxy#8434 Signed-off-by: Simon Bennetts <psiinon@gmail.com>
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Fixed
+- Hidden Files rule raising false positives if server returning 200 for files that don't exist (Issue 8434).
 
 ## [73] - 2025-09-02
 ### Changed
diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java
@@ -29,6 +29,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Random;
 import java.util.function.Supplier;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONException;
@@ -48,6 +49,7 @@
 import org.parosproxy.paros.network.HttpStatusCode;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
 import org.zaproxy.addon.commonlib.PolicyTag;
+import org.zaproxy.addon.commonlib.http.ComparableResponse;
 import org.zaproxy.addon.commonlib.http.HttpFieldsNames;
 
 /**
@@ -67,6 +69,7 @@ public class HiddenFilesScanRule extends AbstractHostPlugin implements CommonAct
     private static final int PLUGIN_ID = 40035;
     private static final Logger LOGGER = LogManager.getLogger(HiddenFilesScanRule.class);
     private static final Map<String, String> ALERT_TAGS;
+    private static final Random staticRandomGenerator = new Random();
 
     static {
         Map<String, String> alertTags =
@@ -107,20 +110,32 @@ public int getId() {
     public void init() {
         hfList = readFromJsonFile(DEFAULT_PAYLOAD_PATH);
         for (String payload : getHiddenFilePayloads().get()) {
-            hfList.add(
-                    new HiddenFile(
-                            payload,
-                            Collections.emptyList(),
-                            Collections.emptyList(),
-                            "",
-                            Collections.emptyList(),
-                            "",
-                            true));
+            hfList.add(new HiddenFile(payload, true));
         }
     }
 
+    /** Copied from org.parosproxy.paros.core.scanner.Analyser */
+    private static long getRndPositiveLong() {
+        long rnd = Long.MIN_VALUE;
+        while (rnd == Long.MIN_VALUE) {
+            rnd = staticRandomGenerator.nextLong();
+        }
+        return Math.abs(rnd);
+    }
+
     @Override
     public void scan() {
+        HttpMessage willNotExistMsg =
+                sendHiddenFileRequest(new HiddenFile("zap" + getRndPositiveLong(), true));
+        HttpMessage willNotExistDotMsg =
+                sendHiddenFileRequest(new HiddenFile(".zap" + getRndPositiveLong(), true));
+        if (willNotExistMsg == null || willNotExistDotMsg == null) {
+            return;
+        }
+        ComparableResponse willNotExistCompResp = new ComparableResponse(willNotExistMsg, null);
+        ComparableResponse willNotExistDotCompResp =
+                new ComparableResponse(willNotExistDotMsg, null);
+
         for (HiddenFile file : hfList) {
 
             if (isStop()) {
@@ -134,6 +149,17 @@ public void scan() {
             }
             int statusCode = testMsg.getResponseHeader().getStatusCode();
             if (isPage200(testMsg)) {
+                ComparableResponse cr = new ComparableResponse(testMsg, null);
+                ComparableResponse testCr =
+                        file.getPath().startsWith(".")
+                                ? willNotExistDotCompResp
+                                : willNotExistCompResp;
+
+                if (cr.compareWith(testCr) >= 0.9) {
+                    // Getting essentially the same response for a file that really doesn't exist
+                    continue;
+                }
+
                 String responseBody = testMsg.getResponseBody().toString();
                 boolean matches =
                         doesNotMatch(responseBody, file.getNotContent())
@@ -453,6 +479,17 @@ static class HiddenFile {
         private final String extra;
         private final boolean custom;
 
+        public HiddenFile(String path, boolean custom) {
+            this(
+                    path,
+                    Collections.emptyList(),
+                    Collections.emptyList(),
+                    "",
+                    Collections.emptyList(),
+                    "",
+                    custom);
+        }
+
         public HiddenFile(
                 String path,
                 List<String> content,
diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java
@@ -41,6 +41,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Random;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -185,10 +186,11 @@ void shouldRaiseAlertIfTestedUrlRespondsOkWithRelevantContent()
                         false);
 
         this.nano.addHandler(new OkResponse(servePath));
+        nano.setHandler404(new OkWithRndToken(""));
         this.nano.addHandler(
                 new StaticContentServerHandler(
                         '/' + testPath,
-                        "<html><head></head><H>Awesome Title</H1> Some Text... <html>"));
+                        "<html><head></head><H1>Awesome Title</H1> Some Text... <html>"));
 
         HttpMessage msg = this.getHttpMessage(servePath);
 
@@ -426,19 +428,39 @@ void shouldRaiseAlertWithHighConfidenceIfContentStringsAllMatch()
     }
 
     @Test
-    void shouldRaiseAlertWithLowConfidenceIfTestedUrlRespondsOkToCustomPayload()
-            throws HttpMalformedHeaderException {
+    void shouldNotRaiseAlertIfMajorityResponsesTooSimilar() throws HttpMalformedHeaderException {
+        // Given
+        String servePath = "/shouldNotAlert";
+
+        String testPath = "foo/test.php";
+        List<String> customPaths = Arrays.asList(testPath);
+
+        nano.setHandler404(new OkWithRndToken(""));
+
+        HttpMessage msg = this.getHttpMessage(servePath);
+
+        HiddenFilesScanRule.setPayloadProvider(() -> customPaths);
+        rule.init(msg, this.parent);
+
+        // When
+        rule.scan();
+
+        // Then
+        assertThat(alertsRaised, hasSize(0));
+    }
+
+    @Test
+    void shouldtRaiseAlertForMatchWith404As200() throws HttpMalformedHeaderException {
         // Given
         String servePath = "/shouldAlert";
 
         String testPath = "foo/test.php";
         List<String> customPaths = Arrays.asList(testPath);
 
         this.nano.addHandler(new OkResponse(servePath));
-        this.nano.addHandler(
-                new StaticContentServerHandler(
-                        '/' + testPath,
-                        "<html><head></head><H>Awesome Title</H1> Some Text... <html>"));
+        this.nano.addHandler(new OkResponse("/" + testPath));
+
+        nano.setHandler404(new OkWithRndToken(""));
 
         HttpMessage msg = this.getHttpMessage(servePath);
 
@@ -447,15 +469,33 @@ void shouldRaiseAlertWithLowConfidenceIfTestedUrlRespondsOkToCustomPayload()
 
         // When
         rule.scan();
+
         // Then
         assertThat(alertsRaised, hasSize(1));
         Alert alert = alertsRaised.get(0);
-        assertEquals(1, httpMessagesSent.size());
+        assertThat(httpMessagesSent, hasSize(greaterThanOrEqualTo(1)));
         assertEquals(Alert.RISK_MEDIUM, alertsRaised.get(0).getRisk());
         assertEquals(Alert.CONFIDENCE_LOW, alertsRaised.get(0).getConfidence());
         assertEquals(rule.getReference(), alert.getReference());
     }
 
+    @ParameterizedTest
+    @MethodSource("org.zaproxy.zap.extension.ascanrules.HiddenFilesScanRule#getHiddenFiles()")
+    void shouldNotRaiseAlertIfMajorityResponsesTooSimilarForBuiltInCustomPayloads(String fileName)
+            throws HttpMalformedHeaderException {
+        // Given
+        String servePath = "/shouldNotAlert";
+
+        nano.setHandler404(new OkWithRndToken(""));
+
+        rule.init(getHttpMessage(servePath), parent);
+
+        // When
+        rule.scan();
+        // Then
+        assertThat(alertsRaised, hasSize(0));
+    }
+
     @Test
     void shouldNotRaiseAlertIfResponseStatusIsNotOkOrAuthRelated()
             throws HttpMalformedHeaderException {
@@ -756,32 +796,6 @@ void shouldReturnExpectedExampleAlert() {
         assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_LOW)));
     }
 
-    @ParameterizedTest
-    @MethodSource("org.zaproxy.zap.extension.ascanrules.HiddenFilesScanRule#getHiddenFiles()")
-    // XXX A very likely FP.
-    void shouldRaiseAlertIfTestedUrlRespondsOkForCustomPayloads(String fileName)
-            throws HttpMalformedHeaderException {
-        // Given
-        String servePath = "/shouldAlert";
-        nano.addHandler(new OkResponse(servePath));
-        nano.addHandler(
-                new StaticContentServerHandler(
-                        '/' + fileName,
-                        "<html><head></head><H>Awesome Title</H1> Some Text... <html>"));
-        rule.init(getHttpMessage(servePath), parent);
-
-        // When
-        rule.scan();
-        // Then
-        assertThat(alertsRaised, hasSize(1));
-        Alert alert = alertsRaised.get(0);
-        assertThat(httpMessagesSent, hasSize(greaterThanOrEqualTo(1)));
-        assertThat(alert.getRisk(), is(equalTo(Alert.RISK_MEDIUM)));
-        assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_LOW)));
-        assertThat(alert.getEvidence(), is(equalTo("HTTP/1.1 200 OK")));
-        assertThat(alert.getOtherInfo(), is(equalTo("")));
-    }
-
     @Test
     @Override
     public void shouldHaveValidReferences() {
@@ -868,4 +882,23 @@ public OkBinResponse(String path, String content) {
             super(path, content);
         }
     }
+
+    private static class OkWithRndToken extends NanoServerHandler {
+
+        private Random rnd = new Random();
+
+        public OkWithRndToken(String name) {
+            super(name);
+        }
+
+        @Override
+        protected Response serve(IHTTPSession session) {
+            return NanoHTTPD.newFixedLengthResponse(
+                    Response.Status.OK,
+                    "text/html",
+                    "<html><head></head><body><H1>Awesome Title</H1> Some Text... <br>"
+                            + rnd.nextLong()
+                            + "</body></html>");
+        }
+    }
 }
