Merge pull request #6015 from kingthorin/timing-tag

Add TEST_TIMING alert tag

Author: psiinon

addOns/ascanrules/CHANGELOG.md

@@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
 - The Cloud Metadata Potentially Exposed scan rules now has a CWE reference.
+- Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag.
 
 ## [72] - 2025-06-20
 ### Added

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java

@@ -100,7 +100,8 @@ public class CommandInjectionScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_12_COMMAND_INJ,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.API.getTag(), "");
         alertTags.put(PolicyTag.DEV_CICD.getTag(), "");
         alertTags.put(PolicyTag.DEV_STD.getTag(), "");
@@ -370,6 +371,16 @@ public Map<String, String> getAlertTags() {
         return ALERT_TAGS;
     }
 
+    private Map<String, String> getNeededAlertTags(TestType type) {
+        if (TestType.FEEDBACK.equals(type)) {
+            Map<String, String> alertTags = new HashMap<>();
+            alertTags.putAll(getAlertTags());
+            alertTags.remove(CommonAlertTag.TEST_TIMING.getTag());
+            return alertTags;
+        }
+        return getAlertTags();
+    }
+
     @Override
     public int getCweId() {
         return 78;
@@ -585,9 +596,9 @@ private boolean testCommandInjection(
                             "[OS Command Injection Found] on parameter [{}] with value [{}]",
                             paramName,
                             paramValue);
-                    String otherInfo = getOtherInfo(TestType.FEEDBACK, paramValue);
 
-                    buildAlert(paramName, paramValue, matcher.group(), otherInfo, msg).raise();
+                    buildAlert(paramName, paramValue, matcher.group(), TestType.FEEDBACK, msg)
+                            .raise();
 
                     // All done. No need to look for vulnerabilities on subsequent
                     // payloads on the same request (to reduce performance impact)
@@ -670,10 +681,9 @@ private boolean testCommandInjection(
                             "[Blind OS Command Injection Found] on parameter [{}] with value [{}]",
                             paramName,
                             paramValue);
-                    String otherInfo = getOtherInfo(TestType.TIME, paramValue);
 
                     // just attach this alert to the last sent message
-                    buildAlert(paramName, paramValue, "", otherInfo, message.get()).raise();
+                    buildAlert(paramName, paramValue, "", TestType.TIME, message.get()).raise();
 
                     // All done. No need to look for vulnerabilities on subsequent
                     // payloads on the same request (to reduce performance impact)
@@ -722,25 +732,22 @@ private static String insertUninitVar(String cmd) {
     }
 
     private AlertBuilder buildAlert(
-            String param, String attack, String evidence, String otherInfo, HttpMessage msg) {
+            String param, String attack, String evidence, TestType type, HttpMessage msg) {
+        String otherInfo = getOtherInfo(type, attack);
         return newAlert()
                 .setConfidence(Alert.CONFIDENCE_MEDIUM)
                 .setParam(param)
                 .setAttack(attack)
                 .setEvidence(evidence)
                 .setMessage(msg)
-                .setOtherInfo(otherInfo);
+                .setOtherInfo(otherInfo)
+                .setTags(getNeededAlertTags(type));
     }
 
     @Override
     public List<Alert> getExampleAlerts() {
         return List.of(
-                buildAlert(
-                                "qry",
-                                "a;cat /etc/passwd ",
-                                "root:x:0:0",
-                                getOtherInfo(TestType.FEEDBACK, "a;cat /etc/passwd "),
-                                null)
+                buildAlert("qry", "a;cat /etc/passwd ", "root:x:0:0", TestType.FEEDBACK, null)
                         .build());
     }
 }

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java

@@ -201,7 +201,8 @@ public class SqlInjectionHypersonicScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_05_SQLI,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
         alertTags.put(PolicyTag.QA_STD.getTag(), "");
         alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java

@@ -146,7 +146,8 @@ public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_05_SQLI,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
         alertTags.put(PolicyTag.QA_STD.getTag(), "");
         alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java

@@ -220,7 +220,8 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_05_SQLI,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
         alertTags.put(PolicyTag.QA_STD.getTag(), "");
         alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java

@@ -156,7 +156,8 @@ public class SqlInjectionOracleScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_05_SQLI,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
         alertTags.put(PolicyTag.QA_STD.getTag(), "");
         alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java

@@ -198,7 +198,8 @@ public class SqlInjectionPostgreScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_05_SQLI,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
         alertTags.put(PolicyTag.QA_STD.getTag(), "");
         alertTags.put(PolicyTag.QA_FULL.getTag(), "");

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java

@@ -223,7 +223,8 @@ public class SqlInjectionSqLiteScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_05_SQLI,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.QA_FULL.getTag(), "");
         alertTags.put(PolicyTag.PENTEST.getTag(), "");
         ALERT_TAGS = Collections.unmodifiableMap(alertTags);
@@ -461,6 +462,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
                                     .setOtherInfo(extraInfo)
                                     .setEvidence(matcher.group())
                                     .setMessage(msgDelay)
+                                    .setTags(getNeededAlertTags(true))
                                     .raise();
 
                             LOGGER.debug(
@@ -603,6 +605,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
                             .setOtherInfo(extraInfo)
                             .setEvidence(extraInfo)
                             .setMessage(detectableDelayMessage)
+                            .setTags(getNeededAlertTags(false))
                             .raise();
 
                     if (detectableDelayMessage != null)
@@ -755,6 +758,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
                                                             .setOtherInfo(extraInfo)
                                                             .setEvidence(versionNumber)
                                                             .setMessage(unionAttackMessage)
+                                                            .setTags(getNeededAlertTags(true))
                                                             .raise();
                                                     break unionLoops;
                                                 }
@@ -807,4 +811,14 @@ public int getWascId() {
     public Map<String, String> getAlertTags() {
         return ALERT_TAGS;
     }
+
+    private Map<String, String> getNeededAlertTags(boolean isFeedbackBased) {
+        if (isFeedbackBased) {
+            Map<String, String> alertTags = new HashMap<>();
+            alertTags.putAll(getAlertTags());
+            alertTags.remove(CommonAlertTag.TEST_TIMING.getTag());
+            return alertTags;
+        }
+        return getAlertTags();
+    }
 }

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java

@@ -61,7 +61,8 @@ public class SstiBlindScanRule extends AbstractAppParamPlugin implements CommonA
                         CommonAlertTag.toMap(
                                 CommonAlertTag.OWASP_2021_A03_INJECTION,
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
-                                CommonAlertTag.WSTG_V42_INPV_18_SSTI));
+                                CommonAlertTag.WSTG_V42_INPV_18_SSTI,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(ExtensionOast.OAST_ALERT_TAG_KEY, ExtensionOast.OAST_ALERT_TAG_VALUE);
         alertTags.put(PolicyTag.API.getTag(), "");
         alertTags.put(PolicyTag.DEV_FULL.getTag(), "");

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRuleUnitTest.java

@@ -23,6 +23,7 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
@@ -95,7 +96,7 @@ void shouldReturnExpectedMappings() {
         // Then
         assertThat(cwe, is(equalTo(78)));
         assertThat(wasc, is(equalTo(31)));
-        assertThat(tags.size(), is(equalTo(13)));
+        assertThat(tags.size(), is(equalTo(14)));
         assertThat(
                 tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
                 is(equalTo(true)));
@@ -107,6 +108,7 @@ void shouldReturnExpectedMappings() {
                 is(equalTo(true)));
         assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
+        assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(PolicyTag.API.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(PolicyTag.DEV_CICD.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(PolicyTag.DEV_STD.getTag()), is(equalTo(true)));
@@ -381,6 +383,8 @@ void shouldHaveExpectedExampleAlert() {
                                 "The scan rule was able to retrieve the content of a file or "
                                         + "command by sending [a;cat /etc/passwd ] to the operating "
                                         + "system running this application.")));
+        Map<String, String> tags = alert.getTags();
+        assertThat(tags, not(hasKey(CommonAlertTag.TEST_TIMING.getTag())));
     }
 
     private static class PayloadCollectorHandler extends NanoServerHandler {