Skip to content

pscanrules: Improve version detection in Server Header Info Leak rule (10036) #6946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LakshmiSHR wants to merge 3 commits into
base: main
Choose a base branch
from
Open

pscanrules: Improve version detection in Server Header Info Leak rule (10036) #6946

LakshmiSHR wants to merge 3 commits into from

Conversation

@LakshmiSHR
Copy link

@LakshmiSHR LakshmiSHR commented Nov 28, 2025
edited by kingthorin
Loading

Enhancement: Improve detection of version information in HTTP Server header

This PR is related to Issue zaproxy/zaproxy#9160 by enhancing the version-detection logic in ServerHeaderInfoLeakScanRule.

Key Improvements:

  • Replaced weak version check (.*\d.*) with stricter regex: \d+\.\d+(?:\.\d+)?
    • Now accurately detects version-like patterns (e.g., 2.4, 1.8.0, 2.4.49)
  • Changed matches() to find() to correctly identify versions inside strings such as:
    • Apache/2.4.49 (Unix)
    • nginx/1.21.6
  • Preserved existing behavior:
    • At LOW threshold → still alerts for presence of Server header
    • Raises version-leak alert only when version information is present

Let me know if further expansion is needed (e.g., detecting more header types or enhancing severity levels).

Thank you!

@github-actions
Copy link

github-actions bot commented Nov 28, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@LakshmiSHR
Copy link
Author

LakshmiSHR commented Nov 28, 2025

i have read the CLA Document and I hereby sign the CLA

kingthorin
kingthorin reviewed Nov 28, 2025
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CHANGELOG.md should also be updated. Add a bullet under the "Unreleased" header, you can check older entries for inspiration.

It might also be worth adding/updating unit tests.

@psiinon
Copy link
Member

psiinon commented Nov 28, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details29470b26-d75f-4b21-8bd5-2cd00fed500e

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
MEDIUM CVE-2025-13466 Npm-body-parser-1.20.3

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

@LakshmiSHR
Copy link
Author

LakshmiSHR commented Nov 28, 2025

@Checkmarx These scan issues are related to workflow configuration files (codeql.yml),
which I did not modify. My changes are only in the Java code and CHANGELOG.md.
Please let me know if any action is required from my side.

@thc202 thc202 changed the title Improve version detection in Server Header Info Leak rule (10036) pscanrules: Improve version detection in Server Header Info Leak rule (10036) Nov 28, 2025
@kingthorin
Copy link
Member

kingthorin commented Nov 28, 2025

You can ignore the Checkmarx report. Thanks for your diligence though.

@thc202
Copy link
Member

thc202 commented Dec 30, 2025

The build is failing and it's missing a unit test for the change done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thc202 thc202 thc202 left review comments

@kingthorin kingthorin kingthorin approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@LakshmiSHR @psiinon @kingthorin @thc202