doRailsScan false positive
ethicalhack3r opened this issue · 4 comments
Burp's Active Scanner injects payloads with 127.0.0.1
within them.
If the application outputs the 127.0.0.1
string the doRailsScan method of this extension will wrongly report that the application may be vulnerable to CVE-2019-5418.
Currently the payload attempts to read the /etc/hosts
Linux file.
Maybe there's another local file that could be called and/or string matched to lessen the chance of false positives?
I'm not sure what to suggest which would yield less false positives, but perhaps someone else has a good idea? Maybe something a bit more obscure in the /etc/passwd
file? Although this may not be any better.
Feel free to close this issue if you feel that the current check is the best balance.
Have you seen a false positive occurring with this? There's code intended to prevent an errant 127.0.0.1 from causing a false positive:
ActiveScanPlusPlus/activeScan++.py
Lines 188 to 189 in 8235a4c
I'm open to suggests for alternatives, but I'm not keen on /etc/passwd as it'll set off every WAF rule on the planet.
Yea, I have a false positive occurring due to the web application outputting the ping -c 21 127.0.0.1
payload from Burp.
Ah! I hadn't seen that check when I took a quick look earlier, although I still I don't know what basePair
is.
Anyway, just thought I'd bring the issue up as maybe the file being checked for hadn't been given much thought, as I believe that is the same file that was checked in the original PoC.
I also agree about /etc/passwd
setting off WAFs, and I don't have any other suggestions, although someone with more knowledge of the Linux filesystem may know of a better alternative file to check.