Active Scan Scripts for Custom Vulnerabilities

2 min read Security Testing & Tools

Active Scan Scripts for Custom Vulnerabilities

Active scan scripts enable testing for vulnerabilities specific to your applications or those not covered by default scan rules. These scripts integrate seamlessly with ZAP's active scanner, receiving callbacks for each parameter to test. A practical example tests for application-specific injection vulnerabilities:

# Active scan script for custom injection testing
import org.parosproxy.paros.core.scanner.Alert as Alert
import org.parosproxy.paros.network.HttpMessage as HttpMessage

def scan(sas, msg, param, value):
    # Define custom payloads for testing
    payloads = [
        "{{7*7}}",  # Template injection
        "${7*7}",   # Expression language injection
        "%(7*7)s",  # Python string format
        "{7*7}",    # Various template engines
    ]
    
    for payload in payloads:
        # Copy the original message
        test_msg = msg.cloneRequest()
        
        # Set the parameter to our payload
        sas.setParam(test_msg, param, payload)
        
        # Send the request
        sas.sendAndReceive(test_msg, False)
        
        # Check if our payload executed (looking for "49" in response)
        response_body = test_msg.getResponseBody().toString()
        
        if "49" in response_body and payload in response_body:
            # Raise an alert
            sas.raiseAlert(
                Alert.RISK_HIGH, 
                Alert.CONFIDENCE_MEDIUM,
                "Template Injection",
                "Template injection vulnerability found. The expression " + payload + " was evaluated.",
                test_msg.getRequestHeader().getURI().toString(),
                param,
                payload,
                "49",  # Evidence
                "Use parameterized templates and avoid direct template string construction",
                "Ensure user input is properly sanitized before template processing",
                test_msg
            )
            return  # Stop testing after finding vulnerability

Active scan scripts receive four parameters: the ScriptActiveScanner helper object, the HTTP message being tested, the parameter name, and the original parameter value. Scripts should be efficient, avoiding redundant requests and stopping after finding vulnerabilities. The helper object provides methods for parameter manipulation and alert raising, integrating custom tests with ZAP's standard reporting.