zaproxy · psiinon · May 29, 2026 · May 28, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,12 +17,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Maintenance and documentation changes.
 - Active and passive READMEs to include lastest JS script examples.
 - Reduce usage of fully qualified objects in loops or main methods to address potential classloader performance issues, in JavaScript scripts (Issue 9187).
+- httpsender/AlertOnHttpResponseCodeErrors.js and AlertOnUnexpectedContentTypes.js synced from zaproxy/docker (Issue 9273), renamed to PascalCase.
 
 ### Fixed 
 - The following scripts were not being loaded as scan rules:
   - active/SSTI.js
   - passive/Mutliple Security Header Check.js
-- Updated Alert_on_HTTP_Response_Code_Errors.js to work with GraalVM JavaScript engine.
+- Updated AlertOnHttpResponseCodeErrors.js to work with GraalVM JavaScript engine.
 
 ### Removed
 - Links to videos which no longer exist.

diff --git a/...der/Alert on HTTP Response Code Errors.js → httpsender/AlertOnHttpResponseCodeErrors.js b/...der/Alert on HTTP Response Code Errors.js → httpsender/AlertOnHttpResponseCodeErrors.js
@@ -13,6 +13,10 @@ const HistoryReference = Java.type(
   "org.parosproxy.paros.model.HistoryReference"
 );
 
+const extensionAlert = control
+  .getExtensionLoader()
+  .getExtension(ExtensionAlert.NAME);
+
 pluginid = 100000; // https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md
 
 function sendingRequest(msg, initiator, helper) {
@@ -24,20 +28,20 @@ function responseReceived(msg, initiator, helper) {
     // Not of interest.
     return;
   }
-  var extensionAlert = control
-    .getExtensionLoader()
-    .getExtension(ExtensionAlert.NAME);
+
   if (extensionAlert != null) {
     var code = msg.getResponseHeader().getStatusCode();
-    if (code < 400 || code >= 600 || code == 404) {
+    if (code < 400 || code >= 600) {
       // Do nothing
     } else {
       var risk = 0; // Info
       var title = "A Client Error response code was returned by the server";
+      var alertRef = 1;
       if (code >= 500) {
         // Server error
         risk = 1; // Low
         title = "A Server Error response code was returned by the server";
+        alertRef = 2;
       }
       // CONFIDENCE_HIGH = 3 (we can be pretty sure we're right)
       var alert = new Alert(pluginid, risk, 3, title);
@@ -95,6 +99,7 @@ function responseReceived(msg, initiator, helper) {
           "Raised by the 'Alert on HTTP Response Code Error' script"
       );
       alert.setEvidence(code.toString());
+      alert.setAlertRef(pluginid + "-" + alertRef);
       alert.setCweId(388); // CWE CATEGORY: Error Handling
       alert.setWascId(20); // WASC  Improper Input Handling
       extensionAlert.alertFound(alert, ref);

diff --git a/...nder/Alert on Unexpected Content Types.js → httpsender/AlertOnUnexpectedContentTypes.js b/...nder/Alert on Unexpected Content Types.js → httpsender/AlertOnUnexpectedContentTypes.js
@@ -13,7 +13,7 @@ const HistoryReference = Java.type(
   "org.parosproxy.paros.model.HistoryReference"
 );
 
-var extensionAlert = control
+const extensionAlert = control
   .getExtensionLoader()
   .getExtension(ExtensionAlert.NAME);