zaproxy: False-positive for hidden file CWE 538

Describe the bug

The spider is reporting BitKeeper as a hidden file. It does not exist in the code base and the response is a redirect 301 Moved Permantently.

Confidence is set to low (default).

image

Steps to reproduce the behavior

  1. Run a traditional or AJAX crawler in a web site using default confidence. Return 301.

Expected behavior

We would expect no alert when there is a redirect as a response.

Software versions

ZAP
Version: 2.14.0

Installed Add-ons: [[id=alertFilters, version=19.0.0],
[id=ascanrules, version=59.0.0], [id=authhelper,
version=0.10.0], [id=automation, version=0.34.0],
[id=bruteforce, version=15.0.0], [id=callhome,
version=0.10.0], [id=commonlib, version=1.20.0],
[id=database, version=0.3.0], [id=diff, version=14.0.0],
[id=directorylistv1, version=7.0.0], [id=domxss,
version=18.0.0], [id=encoder, version=1.4.0], [id=exim,
version=0.8.0], [id=formhandler, version=6.5.0], [id=fuzz,
version=13.12.0], [id=gettingStarted, version=16.0.0],
[id=graaljs, version=0.5.0], [id=graphql, version=0.21.0],
[id=help, version=17.0.0], [id=hud, version=0.18.0],
[id=importurls, version=9.0.0], [id=invoke, version=14.0.0],
[id=network, version=0.13.0], [id=oast, version=0.17.0],
[id=onlineMenu, version=12.0.0], [id=openapi,
version=38.0.0], [id=postman, version=0.2.0],
[id=pscanrules, version=53.0.0], [id=quickstart,
version=43.0.0], [id=replacer, version=16.0.0], [id=reports,
version=0.26.0], [id=requester, version=7.4.0], [id=retest,
version=0.8.0], [id=retire, version=0.28.0], [id=reveal,
version=7.0.0], [id=saverawmessage, version=7.0.0],
[id=savexmlmessage, version=0.3.0], [id=scripts,
version=43.0.0], [id=selenium, version=15.16.0], [id=soap,
version=20.0.0], [id=spider, version=0.7.0], [id=spiderAjax,
version=23.18.0], [id=tips, version=12.0.0],
[id=webdriverlinux, version=66.0.0], [id=webdrivermacos,
version=66.0.0], [id=webdriverwindows, version=66.0.0],
[id=websocket, version=30.0.0], [id=zest, version=42.0.0]]

Operating System: Windows 11
Architecture: amd64
Java Version: Eclipse Adoptium 17.0.6
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: windows-1252
ZAP Home Directory: C:\Users\evand\ZAP\
ZAP Installation Directory: C:\Users\evand\Downloads\ZAP_2.14.0\.\
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

  • Yes

About this issue

  • Original URL
  • State: closed
  • Created 7 months ago
  • Comments: 26 (20 by maintainers)

Most upvoted comments

Yes. I’ll put together an email with further details. We can re-open this if necessary after some discussion and a forward plan I guess.

+1
kingthorin on Dec 15, 2023

That’s correct.

+1
epomatti on Dec 13, 2023

It’s looking for a file not a directory.

+1
kingthorin on Dec 9, 2023
Read more comments on GitHub
← zaproxy: False Positive: Backup File Disclosure
zaproxy: False Positive report on DOM-based XSS →