albinowax/ActiveScanPlusPlus

doRailsScan false positive

ethicalhack3r opened this issue · 4 comments

Burp's Active Scanner injects payloads with 127.0.0.1 within them.

If the application outputs the 127.0.0.1 string the doRailsScan method of this extension will wrongly report that the application may be vulnerable to CVE-2019-5418.

Currently the payload attempts to read the /etc/hosts Linux file.

Maybe there's another local file that could be called and/or string matched to lessen the chance of false positives?

I'm not sure what to suggest which would yield less false positives, but perhaps someone else has a good idea? Maybe something a bit more obscure in the /etc/passwd file? Although this may not be any better.

Feel free to close this issue if you feel that the current check is the best balance.

Have you seen a false positive occurring with this? There's code intended to prevent an errant 127.0.0.1 from causing a false positive:

if '127.0.0.1' in safe_bytes_to_string(basePair.getResponse()):
return

I'm open to suggests for alternatives, but I'm not keen on /etc/passwd as it'll set off every WAF rule on the planet.

Yea, I have a false positive occurring due to the web application outputting the ping -c 21 127.0.0.1 payload from Burp.

Ah! I hadn't seen that check when I took a quick look earlier, although I still I don't know what basePair is.

Anyway, just thought I'd bring the issue up as maybe the file being checked for hadn't been given much thought, as I believe that is the same file that was checked in the original PoC.

I also agree about /etc/passwd setting off WAFs, and I don't have any other suggestions, although someone with more knowledge of the Linux filesystem may know of a better alternative file to check.

Looks like we have a solution: #16

Resolved by looking for the collaborator domain in the response: b722f3c