Merge pull request #6663 from kingthorin/oast-doc-tweaks

thc202 · web-flow · commit fa2c1957b917 · 2025-08-26T17:45:21.000+01:00
ascanrules &amp; ascanrulesBeta: Add notes about behavior of OAST alerts
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -19,6 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - For Alerts raised by the SQL Injection scan rules the Attack field values are now simply the payload, not an assembled description.
 - The Cross Site Scripting (Reflected) scan rule was updated to address potential false negatives when the injection context is a tag name and there is some filtering.
 - The Path Traversal scan rule now includes further details when directory matches are made (Issue 8379).
+- Add help details about behavior of scan rules which leverage OAST (Issue 8682).
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
diff --git a/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html b/addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html
@@ -230,6 +230,8 @@ <H2 id="id-40043">Log4Shell (CVE-2021-44228 and CVE-2021-45046)</H2>
 It relies on the OAST add-on to generate out-of-band payloads and verify DNS interactions.
 We recommend that this scan rule is used with header injection enabled for maximum coverage.
 <p>
+See also: <a href="https://www.zaproxy.org/docs/desktop/addons/oast-support/#alerts">OAST</a>.
+<p>
 Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java">Log4ShellScanRule.java</a>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/40043/">40043</a>.
@@ -304,6 +306,9 @@ <H2 id="id-90035">Server Side Template Injection</H2>
 
 <H2 id="id-90036">Server Side Template Injection (Blind)</H2>
 This rule goes one step further than the SSTI scan rule and attempts to find places where the impact of the user input is not immediately obvious, such as when used by an admin panel, report output, invoice, etc.
+It leverages the OAST add-on for out-of-band interactions.
+<p>
+See also: <a href="https://www.zaproxy.org/docs/desktop/addons/oast-support/#alerts">OAST</a>.
 <p>
 Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java">SstiBlindScanRule.java</a>
 <br>
@@ -492,6 +497,8 @@ <H2 id="id-90023">XXE</H2>
 It is also recommended that you test that the Callbacks service in the OAST add-on is correctly configured for your target site.
 If the target system cannot connect to the Callback Address then some XXE vulnerabilities will not be detected.
 <p>
+See also: <a href="https://www.zaproxy.org/docs/desktop/addons/oast-support/#alerts">OAST</a>.
+<p>
 Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java">XxeScanRule.java</a>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/90023/">90023</a>.
diff --git a/addOns/ascanrulesBeta/CHANGELOG.md b/addOns/ascanrulesBeta/CHANGELOG.md
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Depends on an updated version of the Common Library add-on.
+- Add help details about behavior of scan rules which leverage OAST (Issue 8682)
 
 ### Fixed
 - Error logs to always include stack trace.
diff --git a/addOns/ascanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/ascanrulesBeta/resources/help/contents/ascanbeta.html b/addOns/ascanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/ascanrulesBeta/resources/help/contents/ascanbeta.html
@@ -193,7 +193,9 @@ <H2 id="id-41">Source Code Disclosure - Git</H2>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/41/">41</a>.
 
 <H2 id="id-40046">Server Side Request Forgery</H2>
-This rule attempts to find Server Side Request Forgery vulnerabilities by injecting out-of-band payloads in request parameters.
+This rule attempts to find Server Side Request Forgery vulnerabilities by injecting out-of-band payloads from the OAST add-on in request parameters.
+<p>
+See also: <a href="https://www.zaproxy.org/docs/desktop/addons/oast-support/#alerts">OAST</a>.
 <p>
 Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SsrfScanRule.java">SsrfScanRule.java</a>
 <br>
@@ -203,6 +205,8 @@ <H2 id="id-40047">Text4shell (CVE-2022-42889)</H2>
 This rule attempts to discover the Text4shell (<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42889">CVE-2022-42889</a>) vulnerability.
 It relies on the OAST add-on to generate out-of-band payloads and verify DNS interactions.
 <p>
+See also: <a href="https://www.zaproxy.org/docs/desktop/addons/oast-support/#alerts">OAST</a>.
+<p>
 Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/Text4ShellScanRule.java">Text4ShellScanRule.java</a>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/40047/">40047</a>.
diff --git a/addOns/oast/src/main/javahelp/org/zaproxy/addon/oast/resources/help/contents/oast.html b/addOns/oast/src/main/javahelp/org/zaproxy/addon/oast/resources/help/contents/oast.html
@@ -23,6 +23,10 @@ <h2>Scripts</h2>
 whenever an out-of-band request is discovered. This action could be anything like sending yourself an email or
 executing another script in ZAP.
 
+<h2>Alerts</h2>
+
+Scan rules which leverage OAST may result in alerts which are not immediately seen, or are not attributed to a specific active scan, since they happen out of band and potentially at a later time.
+
 <H2>See also</H2>
 <table>
 	<tr>
