ascanrules: detect Escaped XSS encodeURIComponent

addOns/ascanrules/CHANGELOG.md

@@ -25,6 +25,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - The Cloud Metadata Potentially Exposed scan rules now has a CWE reference.
 - Scan rules which execute time based attacks now include the "TEST_TIMING" alert tag.
 - The XPath Injection scan rule now supports error patterns provided via the Custom Payloads add-on (Issue 8958). A minimum of Custom Payloads 0.15.0 is required to take advantage of this optional functionality.
+- The Cross Site Scripting scan rule has been updated for additional coverage of JavaScript eval situations.
 
 ## [72] - 2025-06-20
 ### Added

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java

@@ -74,6 +74,7 @@ public class CrossSiteScriptingScanRule extends AbstractAppParamPlugin
         ALERT_TAGS = Collections.unmodifiableMap(alertTags);
     }
 
+    protected static final String GENERIC_ALERT = "alert(1)";
     protected static final String GENERIC_SCRIPT_ALERT = "<scrIpt>alert(1);</scRipt>";
     protected static final String GENERIC_ONERROR_ALERT = "<img src=x onerror=prompt()>";
     protected static final String IMG_ONERROR_LOG = "<img src=x onerror=console.log(1);>";
@@ -729,6 +730,12 @@ private boolean performScriptAttack(HtmlContext context, HttpMessage msg, String
                 return true;
             }
         }
+        List<HtmlContext> contexts3 = performAttack(msg, param, GENERIC_ALERT, null, 0);
+        if (contexts3 != null && !contexts3.isEmpty()) {
+            if (processContexts(contexts3, param, GENERIC_ALERT, false)) {
+                return true;
+            }
+        }
         return false;
     }
 

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRuleUnitTest.java

@@ -2670,6 +2670,41 @@ protected Response serve(IHTTPSession session) {
         assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
     }
 
+    @Test
+    void shouldReportXssInSriptAttackInEval() throws NullPointerException, IOException {
+        // Given
+        String test = "/shouldReportXssInSriptAttackInEval/";
+
+        this.nano.addHandler(
+                new NanoServerHandler(test) {
+                    @Override
+                    protected Response serve(IHTTPSession session) {
+                        String q = getFirstParamValue(session, "q");
+                        String response;
+                        if (q != null) {
+                            // Make the eye catchers fail
+                            response = getHtml(
+                                            "InputInScriptEval.html",
+                                            new String[][] {{"q", q}});
+                        } else {
+                            response = getHtml("NoInput.html");
+                        }
+                        return newFixedLengthResponse(response);
+                    }
+                });
+
+        HttpMessage msg = this.getHttpMessage(test + "?q=sample");
+        this.rule.setConfig(new ZapXmlConfiguration());
+        // When
+        this.rule.init(msg, this.parent);
+        this.rule.scan();
+        // Then
+        assertThat(alertsRaised.size(), equalTo(1));
+        assertThat(alertsRaised.get(0).getParam(), equalTo("q"));
+        assertThat(alertsRaised.get(0).getAttack(), containsString("alert(1)"));
+        assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM));
+    }
+
     @Override
     protected Path getResourcePath(String resourcePath) {
         return super.getResourcePath("crosssitescriptingscanrule/" + resourcePath);

addOns/ascanrules/src/test/resources/org/zaproxy/zap/extension/ascanrules/crosssitescriptingscanrule/InputInScriptEval.html

@@ -0,0 +1,7 @@
+<html>
+  <body>
+    <script>
+      eval(encodeURIComponent('@@@q@@@'));
+    </script>
+  </body>
+</html>