This repository has been archived by the owner on Aug 18, 2020. It is now read-only.
POST body inspection #12
Comments
|
+1 from me - I could definitely use that in ZAP, and I think it would be really useful to have the option to validate JSON POST data. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We discussed inspecting POST body a few times, and so far concluded that it was too difficult and to costly to do, and we should stick to body size validation instead.
Discussing with @psiinon today, he raised a good point: If we add the format of a POST request into the specification, ZAP could use it as a template to do security tests/fuzzing. The cost issue could be solved by enabling/disabling the filtering at the resource level, and them simply turn it off in production.
Example from https://github.com/mozilla/videur/blob/master/spec/mig_example.json#L73-L106
The flag
must_validatecontrols whether validate is enforced or not, and thus can be turned off in production.The
formatfield indicates that the POST body, and thus validation field, contains valid JSON.The
validationfield is then a standardized version of the expected body, with values replaced with placeholders such as[[datetime]]or[[text]]or[[json]].{ "service": { "resources": { "/action/create": { "POST": { "format": "json", "must_validate": false, "validation": { "id": "[[float64]]", "name": "[[text]]", "target": "[[text]]", "description": { "author": "[[text]]", "email": "[[email]]", "url": "[[text]]", "revision": "[float64]" }, "threat": { "level": "[[text]]", "family": "[[text]]", "type": "[[text]]" }, "validfrom": "[[datetime]]", "expireafter": "[[datetime]]", "operations": [ { "module": "[[text]]", "parameters": "[[json]]" } ], "pgpsignatures": [ "[[text]]" ], "starttime": "[[datetime]]", "finishtime": "[[datetime]]", "lastupdatetime": "[[datetime]]", "counters": "[[json]]", "syntaxversion": "[[float64]]" } } } } } }The text was updated successfully, but these errors were encountered: