import JoiBase from '@hapi/joi';
import JoiDate from '@hapi/joi-date';
const Joi = JoiBase.extend(JoiDate);
const personSchema = Joi.object().keys({
person: Joi.object().keys({
personId: Joi.string().max(255).allow(null, '').required()
}),
});
export default Joi.alternatives().try(
personSchema,
);
{"person":{"personId":"satishkonda"}}
Node js web service validating the request payload using person schema.
calling the above rest post request on the purpose of DAST scan using OWSAP ZAP 2.9.0 getting below buffer overflow medium scanning report
Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer), and other registers cause exceptions, segmentation faults, and other process errors to occur. Usually, these errors end the execution of the application in an unexpected way.
I am bit new to the DAST SCAN. So I am trying to find the root cause by searching google but no use. Please help over this
ZAP is Open Source so you can look at the source code of the scan rule yourself. It is available here: https://github.com/zaproxy/zap-extensions/blob/master/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflow.java
That'll let you see exactly why it's triggering for you.
Of course it is possible that the result is a False Positive.
From my quick review it sends a giant param value (2100 chars) and checks the response for Internal Server Error and Connection: close.
If that's how your app behaves: