Skip to content

Commit 43639fb

Browse files
jsorefkingthorin
authored andcommitted
Spelling batch 7
* 0123456789 * abcdefghijklmnopqrstuvwxyz * access * analyzed * attack * attribute * boolean * comparison * concurrency * consecutive * constructor * criteria * earlier * empty * entry * expression * for our * forwarded * heartbeat * hirshberg * identifiable * implementation * initial * internationalization * language * launch * length * logs * management * mysql * naive * padding * param * parentheses * penetration * query * read * reflected * remote * repositories * response * should * specific * stripped * successfully * targeted * threshold * vulnerabilities Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
1 parent 34e66d2 commit 43639fb

25 files changed

Lines changed: 64 additions & 58 deletions

File tree

addOns/ascanrules/CHANGELOG.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
77
### Fixed
88
- SQL rule should not target NoSQL Dbs.
99

10+
### Changed
11+
- Maintenance changes.
12+
1013
## [50] - 2022-12-13
1114
### Changed
1215
- The Directory Browsing scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).
@@ -214,7 +217,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
214217
## 29 - 2018-01-19
215218

216219
- Issue 3979: Fix reflected XSS in PUT response.
217-
- Issue 3978: Handle relfected XSS in JSON response.
220+
- Issue 3978: Handle reflected XSS in JSON response.
218221
- Issue 4211: Fix false positive in FormatString scanner.
219222

220223
## 28 - 2017-11-27

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,7 @@ public void scan(HttpMessage msg, String paramName, String value) {
155155

156156
// Begin scan rule execution
157157
log.debug(
158-
"Checking [{}][{}], parameter [{}] for Dynamic Code Injection vulnerabilites",
158+
"Checking [{}][{}], parameter [{}] for Dynamic Code Injection Vulnerabilities",
159159
msg.getRequestHeader().getMethod(),
160160
msg.getRequestHeader().getURI(),
161161
paramName);

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -380,7 +380,7 @@ int getTimeSleep() {
380380
}
381381

382382
/**
383-
* Scan for OS Command Injection Vulnerabilites
383+
* Scan for OS Command Injection Vulnerabilities
384384
*
385385
* @param msg a request only copy of the original message (the response isn't copied)
386386
* @param paramName the parameter name that need to be exploited
@@ -391,7 +391,7 @@ public void scan(HttpMessage msg, String paramName, String value) {
391391

392392
// Begin scan rule execution
393393
log.debug(
394-
"Checking [{}][{}], parameter [{}] for OS Command Injection vulnerabilites",
394+
"Checking [{}][{}], parameter [{}] for OS Command Injection Vulnerabilities",
395395
msg.getRequestHeader().getMethod(),
396396
msg.getRequestHeader().getURI(),
397397
paramName);

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -175,19 +175,19 @@ public void scan(HttpMessage msg, String param, String value) {
175175
sb.append('\n');
176176
String initialAttackPayload = sb.toString();
177177

178-
HttpMessage intialAttackMsg = getNewMsg();
179-
setParameter(intialAttackMsg, param, initialAttackPayload);
178+
HttpMessage initialAttackMsg = getNewMsg();
179+
setParameter(initialAttackMsg, param, initialAttackPayload);
180180
try {
181-
sendAndReceive(intialAttackMsg);
181+
sendAndReceive(initialAttackMsg);
182182
} catch (UnknownHostException ex) {
183183
log.debug(
184184
"Caught {} {} when accessing: {}.\nThe target may have replied with a poorly formed redirect due to our input.",
185185
ex.getClass().getName(),
186186
ex.getMessage(),
187-
intialAttackMsg.getRequestHeader().getURI());
187+
initialAttackMsg.getRequestHeader().getURI());
188188
return; // Something went wrong, no point continuing
189189
}
190-
if (isPage500(intialAttackMsg)) {
190+
if (isPage500(initialAttackMsg)) {
191191
StringBuilder sb1 = new StringBuilder();
192192
sb1.append(initialMessage);
193193
for (i = 0; i < 10; i++) {
@@ -224,7 +224,7 @@ && isPage200(verificationMsg)) {
224224
.setParam(param)
225225
.setAttack(initialAttackPayload)
226226
.setOtherInfo(getError('1'))
227-
.setMessage(intialAttackMsg)
227+
.setMessage(initialAttackMsg)
228228
.raise();
229229
}
230230
return;

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -851,7 +851,7 @@ public class HeartBleedActiveScanRule extends AbstractHostPlugin {
851851
*/
852852
static final byte heartbeatRecordByte = 0x18;
853853

854-
/** the beartbeat request that we will send to */
854+
/** the heartbeat request that we will send to */
855855
static final byte heartbeatBuffer[] = {
856856
0x00,
857857
0x03, // data Length = 0x00 0x03 = 3 in decimal. This length is important later...
@@ -985,7 +985,7 @@ public void scan() {
985985
break;
986986
}
987987
log.debug(
988-
"Got a reponse from the server, but it was not a server hello 'Done' message");
988+
"Got a response from the server, but it was not a server hello 'Done' message");
989989
}
990990
} catch (SocketTimeoutException es) {
991991
throw new IOException(
@@ -1230,7 +1230,7 @@ static SSLRecord recvmsg(InputStream is, int timeoutMs) throws IOException {
12301230
* reads the requested number of bytes from the inputstream, blocking if necessary
12311231
*
12321232
* @param s the inputstream from which to read
1233-
* @param length the number of bytes to reas
1233+
* @param length the number of bytes to read
12341234
* @return a byte array containing the requested number of bytes from the inputstream
12351235
* @throws IOException
12361236
*/

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ public void init() {
115115
}
116116

117117
/**
118-
* Scan for Paddding Oracle Vulnerabilites
118+
* Scan for Padding Oracle Vulnerabilities
119119
*
120120
* @param msg a request only copy of the original message (the response isn't copied)
121121
* @param paramName the parameter name that need to be exploited
@@ -270,8 +270,8 @@ private boolean isEncrypted(byte[] value) {
270270
}
271271

272272
/**
273-
* Enumeration Utility which is able to manage all specifi encoding/decoding tasks that could be
274-
* met during rule's testing
273+
* Enumeration Utility which is able to manage all specific encoding/decoding tasks that could
274+
* be met during rule's testing
275275
*/
276276
public enum OracleEncoder {
277277
HEX {

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,7 @@ public void scan(HttpMessage sourceMsg, String param, String value) {
221221
hca.getHtmlContexts(Constant.getEyeCatcher(), null, 0);
222222

223223
for (HtmlContext context : contexts) {
224-
// Loop through the returned contexts and lauch targetted attacks
224+
// Loop through the returned contexts and launch targeted attacks
225225
if (attackWorked || isStop()) {
226226
break;
227227
}

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -628,7 +628,7 @@ public void init() {
628628
log.debug("Doing RDBMS specific error based? {}", doSpecificErrorBased);
629629
log.debug("Doing generic RDBMS error based? {}", doGenericErrorBased);
630630
log.debug("Using a max of {} requests", doErrorMaxRequests);
631-
log.debug("Doing expession based? {}", doExpressionBased);
631+
log.debug("Doing expression based? {}", doExpressionBased);
632632
log.debug("Using a max of {} requests", doExpressionMaxRequests);
633633
log.debug("Using boolean based? {}", doBooleanBased);
634634
log.debug("Using a max of {} requests", doBooleanMaxRequests);
@@ -1027,7 +1027,7 @@ && matchBodyPattern(msg1, errorPattern, sb)) {
10271027
}
10281028

10291029
// if the results of the "AND 1=1" match the original query (using either the
1030-
// stipped or unstripped versions), we may be onto something.
1030+
// stripped or unstripped versions), we may be onto something.
10311031
if (andTrueBodyOutput[booleanStrippedUnstrippedIndex].compareTo(
10321032
normalBodyOutput[booleanStrippedUnstrippedIndex])
10331033
== 0) {
@@ -1910,7 +1910,7 @@ private void expressionBasedAttack(
19101910
if (confirmExpressionOutputStripped.compareTo(normalBodyOutputStripped) != 0) {
19111911
// the confirm query did not return the same results. This means that arbitrary
19121912
// queries are not all producing the same page output.
1913-
// this means the fact we earier reproduced the original page output with a
1913+
// this means the fact we earlier reproduced the original page output with a
19141914
// modified parameter was not a coincidence
19151915

19161916
// Likely a SQL Injection. Raise it
@@ -1949,7 +1949,7 @@ public int getRisk() {
19491949

19501950
/**
19511951
* Replace body by stripping of pattern string. The URLencoded pattern will also be stripped
1952-
* off. The URL decoded pattern will not be stripped off, as this is not necessary of rour
1952+
* off. The URL decoded pattern will not be stripped off, as this is not necessary for our
19531953
* purposes, and causes issues when attempting to decode parameter values such as '%' (a single
19541954
* percent character) This is mainly used for stripping off a testing string in HTTP response
19551955
* for comparison against the original response. Reference: TestInjectionSQL

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -208,7 +208,7 @@ public class SqlInjectionSqLiteScanRule extends AbstractAppParamPlugin {
208208
private long parseDelayDifference = 0;
209209
private long incrementalDelayIncreasesForAlert = 0;
210210

211-
private char[] RANDOM_PARAMETER_CHARS = "abcdefghijklmnopqrstuvwyxz0123456789".toCharArray();
211+
private char[] RANDOM_PARAMETER_CHARS = "abcdefghijklmnopqrstuvwxyz0123456789".toCharArray();
212212
private static final Map<String, String> ALERT_TAGS =
213213
CommonAlertTag.toMap(
214214
CommonAlertTag.OWASP_2021_A03_INJECTION,
@@ -427,7 +427,7 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
427427
long modifiedTimeUsed = msgDelay.getTimeElapsedMillis();
428428

429429
// before we do the time based checking, first check for a known error message
430-
// from the atatck, indicating a SQL injection vuln
430+
// from the attack, indicating a SQL injection vuln
431431
for (Pattern errorMessagePattern : errorMessagePatterns) {
432432
Matcher matcher =
433433
errorMessagePattern.matcher(msgDelay.getResponseBody().toString());

addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,7 @@ <H2>Parameter Tampering</H2>
195195

196196
This rule submits requests with parameter values known to cause errors to be displayed to the user if handled improperly. Responses are checked to make sure that they return
197197
a server error status code, then compared with a normal HTTP response to make sure it does not raise an alert if the bad parameter has no effect on output. Finally, the content
198-
of the reponse body is compared against various patterns that may be found in Java servlet, Microsoft VBScript, OLE DB, JET, PHP and Tomcat errors. If a match is found, an alert is raised and
198+
of the response body is compared against various patterns that may be found in Java servlet, Microsoft VBScript, OLE DB, JET, PHP and Tomcat errors. If a match is found, an alert is raised and
199199
the scanner returns immediately.
200200
<p>
201201
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ParameterTamperScanRule.java">ParameterTamperScanRule.java</a>
@@ -235,7 +235,7 @@ <H2>Server Side Include</H2>
235235
<H2>Source Code Disclosure - CVE-2012-1823</H2>
236236
Exploit CVE-2012-1823 to disclose server-side PHP source code on a PHP-CGI based web server.<br>
237237
Only analyzes responses that are text based (HTML, JSON, XML, etc.), in order to avoid false positives which may occur with image or other binary content.<br>
238-
JavaScript responses are only anaylzed when a LOW alert threshold is set.
238+
JavaScript responses are only analyzed when a LOW alert threshold is set.
239239
<p>
240240
Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java">SourceCodeDisclosureCve20121823ScanRule.java</a>
241241

0 commit comments

Comments
 (0)