Fix DAST skipping URLs with part: request and mode: multiple

[dogancanbakir]

Proposed changes

Closes #6209

FuzzParamsFrequency was frequency-checking empty parameter names in mode: multiple. Since multiple mode fuzzes all parameters at once, execWithInput is called with empty parameter/parameterValue. The empty string was being tracked and matched, silently skipping subsequent URLs' fuzz requests.

Fix: skip frequency check when parameter name is empty.

Proof

Start a local server and generate 30 URLs:

python3 -c "
import http.server
class H(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200); self.end_headers(); self.wfile.write(b'OK')
    def log_message(self,*a): pass
http.server.HTTPServer(('0.0.0.0',4285), H).serve_forever()
" &

for i in $(seq 0 29); do echo "http://127.0.0.1:4285/path${i}?param=value${i}"; done > /tmp/test-urls-30.txt

Template:

id: dast-multiple-test
info:
  name: DAST Multiple Mode Test
  author: test
  severity: high

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    fuzzing:
      - part: request
        mode: multiple
        type: replace
        fuzz:
          - "FUZZED"
    matchers:
      - type: word
        words:
          - "NEVERMATCH"

Before (dev):

$ go run . -t template.yaml -l /tmp/test-urls-30.txt -dast -timeout 10 -nh -duc -debug-req 2>&1 | grep "Dumped HTTP request" | grep -oE 'path[0-9]+' | sort -u | wc -l
      25

After (fix):

$ go run . -t template.yaml -l /tmp/test-urls-30.txt -dast -timeout 10 -nh -duc -debug-req 2>&1 | grep "Dumped HTTP request" | grep -oE 'path[0-9]+' | sort -u | wc -l
      30

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

Bug Fixes

• Fixed parameter frequency-checking logic in fuzzing operations to properly skip validation checks when parameter names are empty. This correction ensures accurate behavior during fuzzing when multiple values are processed without explicit parameter identifiers, improving overall fuzzing accuracy and reliability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 203d2464-d0a8-4a0b-a1f8-307e8ebd7d95

📥 Commits

Reviewing files that changed from the base of the PR and between c6fb1ae and 42911e2.

📒 Files selected for processing (1)

• pkg/fuzz/parts.go

---

Walkthrough

Modified the fuzzing rule execution logic in pkg/fuzz/parts.go to add an additional condition—requiring both the FuzzParamsFrequency option to be enabled AND a non-empty parameter name—before performing frequency checks. This prevents inappropriate parameter skipping when fuzzing without specific parameter identifiers.

Changes

Cohort / File(s)	Summary
Frequency Check Guard pkg/fuzz/parts.go	Added conditional requirement for both FuzzParamsFrequency option and non-empty actualParameter before invoking IsParameterFrequent, preventing frequency skips on empty parameter names.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A parameter came through quite bare,
The frequency check gave it a scare,
But now with conditions both sound,
Empty names are safely unbound,
Fuzzing flows freely, without despair! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the fix: addressing the issue where DAST skips URLs when using part: request and mode: multiple, matching the linked issue #6209.
Linked Issues check	✅ Passed	The code changes directly address the objective from issue #6209 by preventing FuzzParamsFrequency checks on empty parameters in multiple mode, ensuring all URLs are processed and fuzzed without being silently skipped.
Out of Scope Changes check	✅ Passed	The changes are tightly scoped to the root cause: adding a condition to check that actualParameter is not empty before frequency checks, with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dast-skips-urls-multiple-mode

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}