ascanrules: SQLi MySQL rename scan rule (all timing based)

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

Author: kingthorin

addOns/ascanrules/CHANGELOG.md

@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Maintenance changes.
 - Depends on an updated version of the Common Library add-on.
+- The SQL Injection - MySQL scan rule and alerts have been renamed to clarify that they're timing based (Issue 7341).
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java renamed to addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRule.java

@@ -44,19 +44,19 @@
 import org.zaproxy.zap.model.TechSet;
 
 /**
- * The SqlInjectionMySqlScanRule identifies MySQL specific SQL Injection vulnerabilities using MySQL
- * specific syntax. If it doesn't use MySQL specific syntax, it belongs in the generic SQLInjection
- * class! Note the ordering of checks, for efficiency is : 1) Error based (N/A) 2) Boolean Based
- * (N/A - uses standard syntax) 3) UNION based (N/A - uses standard syntax) 4) Stacked (N/A - uses
- * standard syntax) 5) Blind/Time Based (Yes - uses specific syntax)
+ * The SqlInjectionMySqlTimingScanRule identifies MySQL specific SQL Injection vulnerabilities using
+ * MySQL specific syntax. If it doesn't use MySQL specific syntax, it belongs in the generic
+ * SQLInjection class! Note the ordering of checks, for efficiency is : 1) Error based (N/A) 2)
+ * Boolean Based (N/A - uses standard syntax) 3) UNION based (N/A - uses standard syntax) 4) Stacked
+ * (N/A - uses standard syntax) 5) Blind/Time Based (Yes - uses specific syntax)
  *
  * <p>See the following for some great MySQL specific tricks which could be integrated here
  * http://www.websec.ca/kb/sql_injection#MySQL_Stacked_Queries
  * http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  *
  * @author 70pointer
  */
-public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin
+public class SqlInjectionMySqlTimingScanRule extends AbstractAppParamPlugin
         implements CommonActiveScanRuleInfo {
 
     /** MySQL one-line comment */
@@ -220,7 +220,8 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin
                                 CommonAlertTag.OWASP_2017_A01_INJECTION,
                                 CommonAlertTag.WSTG_V42_INPV_05_SQLI,
                                 CommonAlertTag.HIPAA,
-                                CommonAlertTag.PCI_DSS));
+                                CommonAlertTag.PCI_DSS,
+                                CommonAlertTag.TEST_TIMING));
         alertTags.put(PolicyTag.DEV_FULL.getTag(), "");
         alertTags.put(PolicyTag.QA_STD.getTag(), "");
         alertTags.put(PolicyTag.QA_FULL.getTag(), "");
@@ -230,7 +231,8 @@ public class SqlInjectionMySqlScanRule extends AbstractAppParamPlugin
     }
 
     /** for logging. */
-    private static final Logger LOGGER = LogManager.getLogger(SqlInjectionMySqlScanRule.class);
+    private static final Logger LOGGER =
+            LogManager.getLogger(SqlInjectionMySqlTimingScanRule.class);
 
     private int timeSleepSeconds = DEFAULT_SLEEP_TIME;
 

addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties

@@ -183,7 +183,7 @@ ascanrules.sqlinjection.desc = SQL injection may be possible.
 ascanrules.sqlinjection.hypersonic.name = SQL Injection - Hypersonic SQL
 ascanrules.sqlinjection.mssql.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds.
 ascanrules.sqlinjection.mssql.name = SQL Injection - MsSQL
-ascanrules.sqlinjection.mysql.name = SQL Injection - MySQL
+ascanrules.sqlinjection.mysql.name = SQL Injection - MySQL (Time Based)
 ascanrules.sqlinjection.name = SQL Injection
 ascanrules.sqlinjection.oracle.name = SQL Injection - Oracle
 ascanrules.sqlinjection.postgres.name = SQL Injection - PostgreSQL

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRuleUnitTest.java renamed to addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlTimingScanRuleUnitTest.java

@@ -38,12 +38,13 @@
 import org.zaproxy.zap.model.TechSet;
 import org.zaproxy.zap.testutils.NanoServerHandler;
 
-/** Unit test for {@link SqlInjectionMySqlScanRule}. */
-class SqlInjectionMySqlScanRuleUnitTest extends ActiveScannerTest<SqlInjectionMySqlScanRule> {
+/** Unit test for {@link SqlInjectionMySqlTimingScanRule}. */
+class SqlInjectionMySqlTimingScanRuleUnitTest
+        extends ActiveScannerTest<SqlInjectionMySqlTimingScanRule> {
 
     @Override
-    protected SqlInjectionMySqlScanRule createScanner() {
-        return new SqlInjectionMySqlScanRule();
+    protected SqlInjectionMySqlTimingScanRule createScanner() {
+        return new SqlInjectionMySqlTimingScanRule();
     }
 
     @Test
@@ -149,7 +150,7 @@ void shouldReturnExpectedMappings() {
         // Then
         assertThat(cwe, is(equalTo(89)));
         assertThat(wasc, is(equalTo(19)));
-        assertThat(tags.size(), is(equalTo(10)));
+        assertThat(tags.size(), is(equalTo(11)));
         assertThat(
                 tags.containsKey(CommonAlertTag.OWASP_2021_A03_INJECTION.getTag()),
                 is(equalTo(true)));
@@ -160,6 +161,7 @@ void shouldReturnExpectedMappings() {
                 tags.containsKey(CommonAlertTag.WSTG_V42_INPV_05_SQLI.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(CommonAlertTag.HIPAA.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(CommonAlertTag.PCI_DSS.getTag()), is(equalTo(true)));
+        assertThat(tags.containsKey(CommonAlertTag.TEST_TIMING.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(PolicyTag.DEV_FULL.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(PolicyTag.QA_STD.getTag()), is(equalTo(true)));
         assertThat(tags.containsKey(PolicyTag.QA_FULL.getTag()), is(equalTo(true)));