[Tracker] Passive Scanning WebSockets

[eakirtas]

Expectations

An infrastructure which allows passively examination of WebSocket messages. The infrastructure should support plugin additions, scripts and API, all the above should be able to raise the appropriate alerts.

---

Current State
Has been released

---

TODOs

• Support Plugin Addition
  • Usable UI
• API
• Make alerts trigger ZAP-HUD pop-ups (related issue [2])

Done

• Add forder to Community Script Repo (PR#156)
• Fix the errors triggered by using websocket passive scanner with ZAP HUD (more-info) (Fixed)
• Add WebSocket Passive Scan scripts by default
• PR#1718 Script Mechanism
  Contains:
  • Basic infrastructure - Iterates over the stored websocket messages and, in turn, apply the passive script plugin
  • Templates for Python and JavaScript
  • Scripts are able to raise alerts. However, because of related issue 1 the alerts point on handshake message.

---

Possible Scans

• Scripts
  • Base64 Disclosure - Javascript
    • PR#2088
  • Email Disclosure - Javascript
    • PR#2090
  • Error Messages Disclosure - Javascript
    • PR#2091
  • Private IP Disclosure - Javascript
    • PR#2092
  • Credit Card Disclosure - Javascript
    • PR#2093
  • Username Scanner - Javascript
    • PR#2096
  • Debug Error Disclosure - Javascript
    • PR#2099
  • Suspicious Comment Disclosure - Javascript
    • PR#2098

---

Related Issues

1. Enhancement: Add support for raising alerts for other than HTTP/1.x interactions
2. Default to showing alerts for different subdomains
3. Alerts can't handle huge payloads and evidence
4. Base64 Disclosure rule for WebSocket
5. WebSocket default scipts behaviour
6. WebSocketAlertWrapper - Couldn't get the Handshake Http Message for this specific channel

[eakirtas]

Following exceptions are triggered using Passive Scan Script with ZAP HUD.

786919 [Thread-12] WARN org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScanThread  - Could not get messages from database
org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Message not found!
	at org.zaproxy.zap.extension.websocket.db.TableWebSocket.getMessage(TableWebSocket.java:361)
	at org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScanThread.run(WebSocketPassiveScanThread.java:144)
Caused by: java.sql.SQLException: Message not found!
	at org.zaproxy.zap.extension.websocket.db.TableWebSocket.getMessage(TableWebSocket.java:357)
	... 1 more
786927 [Thread-12] INFO org.zaproxy.zap.extension.websocket.alerts.WebSocketAlertWrapper  - Couldn't get the Handshake Http Message for this specific channel
java.lang.NullPointerException
	at org.zaproxy.zap.extension.websocket.alerts.WebSocketAlertWrapper.setDetail(WebSocketAlertWrapper.java:71)
	at org.zaproxy.zap.extension.websocket.pscan.scripts.ScriptsWebSocketPassiveScanner$AlertRaiser.raiseAlert(ScriptsWebSocketPassiveScanner.java:109)
	at jdk.nashorn.internal.scripts.Script$Recompilation$2715$1563AA$\^eval\_.scan(<eval>:66)
	at org.zaproxy.zap.extension.websocket.pscan.scripts.WebSocketPassiveScript$$NashornJavaAdapter.scan(Unknown Source)
	at org.zaproxy.zap.extension.websocket.pscan.scripts.ScriptsWebSocketPassiveScanner.scanMessage(ScriptsWebSocketPassiveScanner.java:73)
	at org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScannerDecorator.scanMessage(WebSocketPassiveScannerDecorator.java:37)
	at org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScannerPlugin.scanMessage(WebSocketPassiveScannerPlugin.java:25)
	at org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScanThread.run(WebSocketPassiveScanThread.java:149)
786928 [Thread-12] ERROR org.zaproxy.zap.extension.alert.ExtensionAlert  - Attempting to raise an alert without URI and/or HTTP message, Plugin ID: 110000 Alert Name:name of the alert
	java.lang.Thread.getStackTrace(Thread.java:1559)
	org.zaproxy.zap.extension.alert.ExtensionAlert.isInvalid(ExtensionAlert.java:237)
	org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(ExtensionAlert.java:174)
	org.zaproxy.zap.extension.websocket.alerts.AlertManager.alertFound(AlertManager.java:35)
	org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScanThread.raiseAlert(WebSocketPassiveScanThread.java:166)
	org.zaproxy.zap.extension.websocket.pscan.scripts.ScriptsWebSocketPassiveScanner$AlertRaiser.raiseAlert(ScriptsWebSocketPassiveScanner.java:111)
	jdk.nashorn.internal.scripts.Script$Recompilation$2715$1563AA$\^eval\_.scan(<eval>:66)
	org.zaproxy.zap.extension.websocket.pscan.scripts.WebSocketPassiveScript$$NashornJavaAdapter.scan(Unknown Source)
	org.zaproxy.zap.extension.websocket.pscan.scripts.ScriptsWebSocketPassiveScanner.scanMessage(ScriptsWebSocketPassiveScanner.java:73)
	org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScannerDecorator.scanMessage(WebSocketPassiveScannerDecorator.java:37)
	org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScannerPlugin.scanMessage(WebSocketPassiveScannerPlugin.java:25)
	org.zaproxy.zap.extension.websocket.pscan.WebSocketPassiveScanThread.run(WebSocketPassiveScanThread.java:149)

[eakirtas]

Application Error disclosure script in javascript was added