search

PortSwigger / backslash-powered-scanner

Finds unknown classes of injection vulnerabilities
Other
641 stars 93 forks source link

False positives/bad higlighting scanning REST url paths #2

Closed cartel0x27 closed 8 years ago

cartel0x27 commented 8 years ago

First of all, let me say I'm super excited about this tool, I really like the approach of just turning up odd transformations/responses for the operator to look at versus going all out to confirm something is an XSS/SQLi or whatnot.

I gave it a whirl on some REST paths and the responses showed promise. I got 'Interesting input handling: Interpolation (percent)' and 'Suspicious input transformation'.

Here is a redacted line of what I was scanning:

GET /api/function/{insertion point 1}/{insertion point 2}/{insertion point 3}/

For the interpolation, in the Request/Response tabs, the wrong parts of the strings are highlighted. Instead of the inserted string, the first 6 chars and the last 6 chars of the injection point are highlighted in the request and response respectively.

For the Suspicious input transformation, again the first part of the injection point and the last part of the injection point, this time up to the insertion of the backslashes, are highlighted. Also, most of the list of interesting transformations are false positives. For example, the scanner says that \101 => A, but when I try this it is reflected as is. The 'reflection dissapeared' results are incorrect, but the truncations are accurate.

Sorry for just making an issue without sending a patch, I don't really know enough Java to see where to start!

albinowax commented 8 years ago

I'm aware the highlighting is a bit wonky - that's a low priority - but I'm really surprised the suspicious input transformation check is giving false positives. If possible, can you provide the URL? If not, can you let me know if the response is JSON? The code handles JSON responses slightly differently.

cartel0x27 commented 8 years ago

The response is JSON, this is a non-public API, so the URL wouldn't do you much good. But I could email the scanner result reports if that would help?

albinowax commented 8 years ago

Could you send zzz\101zzz using the repeater and post the reflection(s) you get back?

cartel0x27 commented 8 years ago 
GET /1/0/xxxxxxxx-xxxx-xxxx-xxxzzz\101zzzxxxxxxxxxxxxxxxxxxxxx

returns

<body><h2>HTTP ERROR 405</h2>
<p>Problem accessing /api/1/0/xxxxxxxx-xxxx-xxxx-xxxzzz\101zzzxxxxxxxxxxxxxxxxxxxx. Reason:
<pre>    Method Not Allowed
albinowax commented 8 years ago

Thanks, I see the problem. The application's response isn't JSON, but it's probably still sending the JSON content-type. I'll get this fixed in a bit.

albinowax commented 8 years ago

The fake-JSON false positive should now be fixed: https://github.com/PortSwigger/backslash-powered-scanner/commit/6bab1114a4ba58f047c1dfa51b97e6351486a6b7