ascanrulesBeta: Address ReDoS in Insecure HTTP Methods rule

- CHANGELOG > Add fix note. - InsecureHttpMethodScanRule > Adjust regex pattern for Google title elements. There's no reason to look for unlimited length character strings. It is doubtful that google would produce content that might cause a ReDoS, but limiting the regex is "safest". Signed-off-by: kingthorin <[email protected]>
zaproxy · Jan 16, 2025 · 3a7ec35 · 3a7ec35
1 parent 8d08b3e
commit 3a7ec35
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md
@@ -17,6 +17,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Fixed
 - Address exception when scanning a message without path with Possible Username Enumeration scan rule.
 - The WSTG alert tags on the HTTP Only Site scan rule.
+- Address potential/theoretical reDoS issue in the Insecure HTTP Method scan rule.
 
 ### Added
 - Standardized Scan Policy related alert tags on various rules.

diff --git a/...ta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java b/...ta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java
@@ -149,7 +149,7 @@ public void scan() {
             String thirdpartyHost = "www.google.com";
             int thirdpartyPort = 80;
             Pattern thirdPartyContentPattern =
-                    Pattern.compile("<title.*Google.*/title>", Pattern.CASE_INSENSITIVE);
+                    Pattern.compile("<title.*{1,10}Google.{1,25}/title>", Pattern.CASE_INSENSITIVE);
 
             // send an OPTIONS message, and see what the server reports. Do
             // not try any methods not listed in those results.