Scan Rule Deprecations

addOns/pscanrules/CHANGELOG.md

@@ -14,6 +14,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
   - This addresses errors such as `[ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscanrules.InformationDisclosureInURL  - No such file: .... /xml/URL-information-disclosure-messages.txt`
 - 'Application Error' scan rule now supports custom payloads when used in conjunction with the Custom Payloads addon.
 
+### Removed
+- 'Header XSS Protection' was deprecated and removed (Issue 5849).
+
 ## [26] - 2020-01-17
 
 ### Changed

addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help/contents/pscanrules.html

@@ -115,14 +115,6 @@ <H2>CSRF Countermeasures</H2>
 <p>
 Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/master/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CSRFCountermeasures.java">CSRFCountermeasures.java</a>
 
-<H2>Header XSS Protection</H2>
-Checks for the existence of and value/setting of the X-XSS-Protection header. 
-This response header can be used to configure a user-agent's built-in reflective XSS protection.<br>
-At MEDIUM and HIGH thresholds only non-error or non-redirect HTML responses are considered.<br>
-At LOW threshold all text responses are considered including errors and redirects.
-<p>
-Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/master/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeaderXssProtectionScanner.java">HeaderXssProtectionScanner.java</a>
-
 <H2>Information Disclosure: Debug Errors</H2>
 This passive scanner checks the content of web responses for known Debug Error message fragments.
 Access to such details may provide a malicious individual with means by which to further abuse the web site.

addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties

@@ -47,12 +47,6 @@ pscanrules.cookielooselyscoped.refs=https://tools.ietf.org/html/rfc6265#section-
 pscanrules.cookielooselyscoped.extrainfo=The origin domain used for comparison was: \r\n{0}\r\n{1}
 pscanrules.cookielooselyscoped.extrainfo.cookie={0}\r\n
 
-pscanrules.headerxssprotectionscanner.name = Web Browser XSS Protection Not Enabled
-pscanrules.headerxssprotectionscanner.desc = Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
-pscanrules.headerxssprotectionscanner.refs = https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet\nhttps://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
-pscanrules.headerxssprotectionscanner.extrainfo = The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: \nX-XSS-Protection: 1; mode=block\nX-XSS-Protection: 1; report=http://www.example.com/xss\nThe following values would disable it:\nX-XSS-Protection: 0\nThe X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).\nNote that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).
-pscanrules.headerxssprotectionscanner.soln = Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
-
 pscanrules.informationdisclosuredebugerrors.name=Information Disclosure - Debug Error Messages
 pscanrules.informationdisclosuredebugerrors.desc=The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.
 pscanrules.informationdisclosuredebugerrors.soln=Disable debugging messages before pushing to production.