You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Aug 18, 2020. It is now read-only.
We discussed inspecting POST body a few times, and so far concluded that it was too difficult and to costly to do, and we should stick to body size validation instead.
Discussing with @psiinon today, he raised a good point: If we add the format of a POST request into the specification, ZAP could use it as a template to do security tests/fuzzing. The cost issue could be solved by enabling/disabling the filtering at the resource level, and them simply turn it off in production.
The flag must_validate controls whether validate is enforced or not, and thus can be turned off in production.
The format field indicates that the POST body, and thus validation field, contains valid JSON.
The validation field is then a standardized version of the expected body, with values replaced with placeholders such as [[datetime]] or [[text]] or [[json]].
+1 from me - I could definitely use that in ZAP, and I think it would be really useful to have the option to validate JSON POST data.
Gives us basic WAF functionality without all the pain ;)
Theres no reason why this format could not be also used for the std key=value pairs, XML etc etc
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We discussed inspecting POST body a few times, and so far concluded that it was too difficult and to costly to do, and we should stick to body size validation instead.
Discussing with @psiinon today, he raised a good point: If we add the format of a POST request into the specification, ZAP could use it as a template to do security tests/fuzzing. The cost issue could be solved by enabling/disabling the filtering at the resource level, and them simply turn it off in production.
Example from https://github.com/mozilla/videur/blob/master/spec/mig_example.json#L73-L106
The flag
must_validate
controls whether validate is enforced or not, and thus can be turned off in production.The
format
field indicates that the POST body, and thus validation field, contains valid JSON.The
validation
field is then a standardized version of the expected body, with values replaced with placeholders such as[[datetime]]
or[[text]]
or[[json]]
.The text was updated successfully, but these errors were encountered: