parameter false positively marked as "bogus parameter"

shift / skipfish

Automatically exported from code.google.com/p/skipfish

Apache License 2.0

0 stars 0 forks source link

parameter false positively marked as "bogus parameter" #133

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

The attached page x.php contains a parameter 'x' that is vulnerable to XSS. 
However, this parameter is marked as a "bogus parameter" (in crawler.c), 
resulting in a false negative XSS.

Using PHP (5.3.8) the last GET parameter of a given name is given priority. 
Since skipfish will perform it's bogus check on the first instance of the 'x' 
parameter, the parameter will false positively be marked as a "bogus parameter".

Original issue reported on code.google.com by random0...@gmail.com on 8 Dec 2011 at 9:36

Attachments:

x.php

GoogleCodeExporter commented 9 years ago

updated version of the attached example page.

Original comment by random0...@gmail.com on 8 Dec 2011 at 9:39

Added labels: ****
Removed labels: ****

Attachments:

x.php

GoogleCodeExporter commented 9 years ago

The "bogus parameter" finding does not prevent XSS detection and other 
injection tests; it only inhibits dictionary brute-force.

Instead, your problem may be that skipfish may be not prepared to deal with 
multiple identically named parameters. Does it work if you rename the 
parameters to "a" and "b"? What version are you using?

Original comment by lcam...@gmail.com on 8 Dec 2011 at 9:45

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

I am running skipfish version 2.03b.

The vulnerability "XSS vector in document body" is located only when the 
variables are renamed to 'a' and 'b'. If there are multiple identically named 
parameters, this vulnerability will not be discovered.

I've attached a file 'index.php' for which skipfish is able to locate the XSS 
vulnerability. Skipfish is not able to locate the same vulnerability in 'x.php' 
(which has been attached previously).

Original comment by random0...@gmail.com on 12 Dec 2011 at 12:03

Added labels: ****
Removed labels: ****

Attachments:

index.php

GoogleCodeExporter commented 9 years ago


In the event of two parameters with the same name, we only test the first one. 
I'll look into fixing this (but with low priority).

Cheers!

Original comment by niels.he...@gmail.com on 5 Feb 2012 at 3:00

Changed state: Accepted
Added labels: Priority-Low, Type-Enhancement
Removed labels: Priority-Medium, Type-Defect

GoogleCodeExporter commented 9 years ago

hi, i m also facing same sort of problem, this is a big issue because the 
crawler will miss many links in a single page application. consider a situation 
in which different pages get included for same id , eg. 

index.php?id=1 leads to one.php page //that have some new links
index.php?id=2 leads to two.php page //that have different links

in this situation page content of two.php will be completely ignored.

Original comment by anuragno...@gmail.com on 19 Jul 2012 at 11:17

Added labels: ****
Removed labels: ****