False Positive

[kp-emagine]

I have tested against a specific site, the results are a bit strange and I am pretty confused by it.

Per the results, the site I scanned contains a Wordpress Plugin called Tweet Blender, and is on a vulnerable version of it.

I can confirm, that, that plugin does not exist on their site, nor has it ever existed on their site. On top of this the host would not allow it

"plugins": {
    "tweet-blender": {
      "slug": "tweet-blender",
      "location": "https://www.mysite.com/wp-content/plugins/tweet-blender/",
      "latest_version": "4.0.2",
      "last_updated": "2013-11-13T08:18:00.000Z",
      "outdated": false,
      "readme_url": null,
      "changelog_url": null,
      "directory_listing": false,
      "error_log_url": null,
      "found_by": "Known Locations (Aggressive Detection)",
      "confidence": 80,
      "interesting_entries": [

      ],
      "confirmed_by": {

      },
      "vulnerabilities": [
        {
          "title": "Tweet Blender 4.0.1 - Unspecified XSS",
          "fixed_in": "4.0.2",
          "references": {
            "cve": [
              "2013-6342"
            ],
            "secunia": [
              "55780"
            ],
            "url": [
              "http://packetstormsecurity.com/files/124047/"
            ],
            "wpvulndb": [
              "6981"
            ]
          }
        }
      ],
      "version": null
    }
  },

Please advise

[erwanlr]

Which version of WPScan are you using ? docker, master from here or the 3.4.5 from ruby gems ?

Furthermore, is it the only false positive you got ?

What's the response you get when you access https://www.mysite.com/wp-content/plugins/tweet-blender/ ? (I am looking at potential redirect here)

[kp-emagine]

It is the only false positive. As for the version, I am unsure, I was told multiple times by Ajin in https://github.com/ajinabraham/CMSScan that I needed to contact you about the issue.

As for browsing it, it 404's, because it does not exist, not only in the site I tested, but anywhere else on the server :)

[erwanlr]

Could you put the output of curl -IL https://www.mysite.com/wp-content/plugins/tweet-blender/ (removing the sensitive stuff if needed)

[kp-emagine]

As previously stated, it does not exit and 404's. But sure:

HTTP/1.1 404 Not Found
Date: Mon, 25 Mar 2019 15:06:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=d97ea862c4ba4e09bee048d2ba16f3baa1553526372; expires=Tue, 24-Mar-20 15:06:12 GMT; path=/; domain=.mysite.com; HttpOnly; Secure
Vary: Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.mysite.com/wp-json/>; rel="https://api.w.org/"
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
CF-Cache-Status: MISS
X-Content-Type-Options: nosniff
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 4bd1c9919978c19a-IAD

[erwanlr]

That's weird then, as 404 are ignored.

Did you supply the HTTP or HTTPS URL to wpscan ? (ie wpscan --url http://my-site.com or wpscan --url https://my-site.com)

[kp-emagine]

Sorry, https

[erwanlr]

Would you mind providing the blog (to team at wpscan dot org) so we can have a look ?

[kp-emagine]

Unfortunately, I cannot. Please do note, that it does not happen when I simply run your gem. It appears to only happens when I run CMSScan.

Unfortuntely again, that dev appears to state that it's an issue here....

[erwanlr]

Oh ok, then I would make it clear to https://github.com/ajinabraham/CMSScan/ that you only have the issue with their tool, and not by running wpscan manually. Just make sure you are running the same command that CMSScan uses though (as by default WPScan will enumerate plugins via passive methods, while CMSScan use mixed detection by setting the related option).

wpscan --plugins-detection mixed --url https://your-target.com

If you want to speed up the process, you can use the command below which will not perform a full plugin enumeration but focus on the one/s given (+ the ones detected via passive methods):

wpscan --plugins-detection mixed --plugins-list tweet-blender -e ap --url https://your-target.com (the -e ap is there to display the detected plugins even if they are not vulnerable)

If with all that, you still have the issue, then I would recommend to use a proxy such as BupSuite along with the proxy option to see the request which is causing the plugin to be detected

[kp-emagine]

Hard to make things clear to people when they refuse to believe it's there product causing the issue ;)

I will see what he says about it, but I am pretty positive he will try to get me to push back on you. If that is the case, then I will simply stop using / promoting his tool, and only use / promote yours.

I do appreciate the help with this.

[kp-emagine]

Ok. wpscan --url https://www.mysite.com/ --no-banner -f json --force -e vp,vt --plugins-detection mixed --rua They had me run a "new" query, here are the full results:

{
  "start_time": 1553600664,
  "start_memory": 102305792,
  "target_url": "https://www.mysite.com/",
  "effective_url": "https://www.mysite.com/",
  "interesting_findings": [
    {
      "url": "https://www.mysite.com/",
      "to_s": "https://www.mysite.com/",
      "type": "headers",
      "found_by": "Headers (Passive Detection)",
      "confidence": 100,
      "confirmed_by": {

      },
      "references": {

      },
      "interesting_entries": [
        "Server: nginx",
        "X-UA-Compatible: IE=edge,chrome=1",
        "WPE-Backend: apache",
        "X-WPE-Loopback-Upstream-Addr: 127.0.0.1:6783",
        "X-Cacheable: SHORT",
        "X-Pass-Why: ",
        "X-Cache-Group: ipad",
        "X-Type: default"
      ]
    },
    {
      "url": "https://www.mysite.com/robots.txt",
      "to_s": "https://www.mysite.com/robots.txt",
      "type": "robots_txt",
      "found_by": "Robots Txt (Aggressive Detection)",
      "confidence": 100,
      "confirmed_by": {

      },
      "references": {

      },
      "interesting_entries": [

      ]
    },
    {
      "url": "https://www.mysite.com/wp-signup.php",
      "to_s": "This site seems to be a multisite",
      "type": "multisite",
      "found_by": "Direct Access (Aggressive Detection)",
      "confidence": 100,
      "confirmed_by": {

      },
      "references": {
        "url": [
          "http://codex.wordpress.org/Glossary#Multisite"
        ]
      },
      "interesting_entries": [

      ]
    },
    {
      "url": "https://www.mysite.com/wp-content/mu-plugins/",
      "to_s": "This site has 'Must Use Plugins': https://www.mysite.com/wp-content/mu-plugins/",
      "type": "mu_plugins",
      "found_by": "Direct Access (Aggressive Detection)",
      "confidence": 80,
      "confirmed_by": {

      },
      "references": {
        "url": [
          "http://codex.wordpress.org/Must_Use_Plugins"
        ]
      },
      "interesting_entries": [

      ]
    },
    {
      "url": "https://www.mysite.com/wp-cron.php",
      "to_s": "https://www.mysite.com/wp-cron.php",
      "type": "wp_cron",
      "found_by": "Direct Access (Aggressive Detection)",
      "confidence": 60,
      "confirmed_by": {

      },
      "references": {
        "url": [
          "https://www.iplocation.net/defend-wordpress-from-ddos",
          "https://github.com/wpscanteam/wpscan/issues/1299"
        ]
      },
      "interesting_entries": [

      ]
    }
  ],
  "version": {
    "number": "5.1.1",
    "release_date": "2019-03-13",
    "status": "latest",
    "found_by": "Addthis Javascript (Passive Detection)",
    "confidence": 100,
    "interesting_entries": [
      "https://www.mysite.com/, Match: 'wp_blog_version = \"5.1.1\";'"
    ],
    "confirmed_by": {
      "Emoji Settings (Passive Detection)": {
        "confidence": 60,
        "interesting_entries": [
          "https://www.mysite.com/, Match: 'wp-includes\\/js\\/wp-emoji-release.min.js?ver=5.1.1'"
        ]
      }
    },
    "vulnerabilities": [

    ]
  },
  "main_theme": {
    "slug": "tpx",
    "location": "https://www.mysite.com/wp-content/themes/tpx/",
    "latest_version": null,
    "last_updated": null,
    "outdated": false,
    "readme_url": null,
    "changelog_url": null,
    "directory_listing": false,
    "error_log_url": null,
    "style_url": "https://www.mysite.com/wp-content/themes/tpx/style.css?ver=5.1.1",
    "style_name": "TPx",
    "style_uri": null,
    "description": "A custom WordPress theme by emagine.",
    "author": "emagine",
    "author_uri": "http://www.emagine.com",
    "template": "em-base",
    "license": null,
    "license_uri": null,
    "tags": null,
    "text_domain": "tpx",
    "found_by": "Css Style (Passive Detection)",
    "confidence": 70,
    "interesting_entries": [

    ],
    "confirmed_by": {

    },
    "vulnerabilities": [

    ],
    "version": {
      "number": "1.1.0",
      "confidence": 80,
      "found_by": "Style (Passive Detection)",
      "interesting_entries": [
        "https://www.mysite.com/wp-content/themes/tpx/style.css?ver=5.1.1, Match: 'Version:      1.1.0'"
      ],
      "confirmed_by": {

      },
      "vulnerabilities": [

      ]
    },
    "parents": [

    ]
  },
  "plugins": {
    "tweet-blender": {
      "slug": "tweet-blender",
      "location": "https://www.mysite.com/wp-content/plugins/tweet-blender/",
      "latest_version": "4.0.2",
      "last_updated": "2013-11-13T08:18:00.000Z",
      "outdated": false,
      "readme_url": null,
      "changelog_url": null,
      "directory_listing": false,
      "error_log_url": null,
      "found_by": "Known Locations (Aggressive Detection)",
      "confidence": 80,
      "interesting_entries": [

      ],
      "confirmed_by": {

      },
      "vulnerabilities": [
        {
          "title": "Tweet Blender 4.0.1 - Unspecified XSS",
          "fixed_in": "4.0.2",
          "references": {
            "cve": [
              "2013-6342"
            ],
            "secunia": [
              "55780"
            ],
            "url": [
              "http://packetstormsecurity.com/files/124047/"
            ],
            "wpvulndb": [
              "6981"
            ]
          }
        }
      ],
      "version": null
    }
  },
  "themes": {

  },
  "stop_time": 1553600704,
  "elapsed": 39,
  "requests_done": 2083,
  "cached_requests": 13,
  "data_sent": 650778,
  "data_sent_humanised": "635.525 KB",
  "data_received": 2212088,
  "data_received_humanised": "2.11 MB",
  "used_memory": 141516800,
  "used_memory_humanised": "134.961 MB"
}

[erwanlr]

Given the output above, I guess I found the target.

However, https://www.target.com/wp-content/plugins/tweet-blender/ returns a 403 rather than 404, which would explain why the plugin is detected.

curl -I https://www.redacted.com/wp-content/plugins/tweet-blender/
HTTP/2 403 
server: nginx
date: Tue, 26 Mar 2019 19:07:15 GMT
content-type: text/html
content-length: 162

I would recommend you to use BurpSuite as a proxy along with the --proxy option and see what the request to /wp-content/plugins/tweet-blender/ returns.

[kp-emagine]

that is not the target URL, and I cannot give you the real target URL. Please. Please, just rely on the fact that what I told you is true, and that the plugin DOES NOT exist on the site. Please. Please Please Please.

[erwanlr]

I haven't even put the target URL ;p

Anyway, at this point there is nothing I can do. 404 are ignored by WPScan (https://github.com/wpscanteam/wpscan/blob/3.4.5/app/finders/plugins/known_locations.rb#L18) so unless you have a bug which would cause the ruby Array#include to misbehave, that's not going to happen.

I've asked you twice to use a proxy to see what WPScan is getting from the target as this is the only reliable information to determine what's going on.

If with all that, you still have the issue, then I would recommend to use a proxy such as BupSuite along with the proxy option to see the request which is causing the plugin to be detected

I would recommend you to use BurpSuite as a proxy along with the --proxy option and see what the request to /wp-content/plugins/tweet-blender/ returns.

I will leave the issue open for a week.

[aj-formassembly]

Just experienced this to our site and we even don't have the Tweet Blender plugin yet it still return 403. I trust you @kp-emagine hehe. Any way to remove this false positive from WPScan?