False positive in Single Page Application (SPA)
gabbsmo opened this issue · comments
Describe the bug
I ran ZAP and got a warning "Hidden file found https://app.metashare.com/BitKeeper". Indeed, there is no BitKeeper file in wwwroot, but a GET request to this URL will return our index.html. All server side routes resolve to index.html since we rely on client side routing for the app. I believe this is a common pattern in modern web apps.
Steps to reproduce the behavior
Run the automated scan with classic spider.
Expected behavior
Perhaps https://host/BitKeeper should not be considered as a hidden file, if the response body is equal to that of https://host/.
Software versions
2.14.0
Screenshots
Errors from the zap.log file
No response
Additional context
Also logged this issue with snallygaster
Would you like to help fix this issue?
- Yes
FYI ZAP is no longer an OWASP project.
Also you didn't run snallyghaster or do anything related to the classic spider. Those alerts are raised by the Hidden File Finder active scan rule which was originally inspired by and drew some patterns/targets from snallyghaster. (You should close your upstream issue, it isn't relevant to them.)
Thanks. I have closed the upstream issue and updated this bug description based on your feedback.
@gabbsmo can you clarify the behavior so that I ensure I fix it properly. Is there a redirect or does any unmatched request simply display the default site content?
@kingthorin unmatched requests show default contents. No redirects.
Thanks. I think I've got a plan to handle that.