Skip to content

Instantly share code, notes, and snippets.

@ykame ykame/find_admin_jsp.js Secret
Created Mar 31, 2016

Embed
What would you like to do?
Find admin.jsp script
// The scan function will be called for request/response made via ZAP, excluding some of the automated tools
// Passive scan rules should not make any requests
// Note that new passive scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"
function scan(ps, msg, src) {
// (1)
if (true) { // Change to a test which detects the vulnerability
uri = msg.getRequestHeader().getURI().toString()
// URI Check
if (uri.indexOf('admin.jsp') > 0) {
//raiseAlert(risk, int confidence, String name, String description, String uri,
// String param, String attack, String otherInfo, String solution, String evidence,
// int cweId, int wascId, HttpMessage msg)
//risk: 0: info, 1: low, 2: medium, 3: high
//confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
ps.raiseAlert(1, 1, '[URI]admin.jsp!!', 'admin.jsp',
msg.getRequestHeader().getURI().toString(),
'', '', '', '', '', 0, 0, msg);
}
// (2)
body = msg.getResponseBody().toString()
// Body Check
if (body.indexOf('admin.jsp') > 0) {
ps.raiseAlert(1, 1, '[BODY]admin.jsp!!', 'admin.jsp',
msg.getRequestHeader().getURI().toString(),
'', '', '', '', '', 0, 0, msg);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.