Today in What Grinds my Gears:
When a ZAP scan flags a "high severity, high confidence" issue based on literally nothing.
ZAP: sends a request with a hinky query string
Server: ignores all query strings
ZAP: OMG BLIND SERVER SIDE INJECTION INTO A NONEXISTENT TEMPLATE ENGINE!!!!!11one
As in previous "What Grinds my Gears" I really don't get why these scanning tools assign ridiculously high confidence values to issues where there's no evidence the vulnerable component exists.
Bee O'Problem
•To be safe I even wasted my time checking the server itself and the entire stack has literally zero interaction with the query string whatsoever.
I'm mainly angry due to the absurd "high" confidence ZAP is assigning the flag.
First: ZAP has no knowledge of the server's implementation. There's no way to tell a "blind" injection even exists.
Second: The evidence something bad happened is NOTHING. It's just as likely the input didn't do anything.
Third: Response time was unchanged
silverwizard
Bee O'Problem
•silverwizard
Bee O'Problem
•@silverwizard Yeah. I have no objections to the flag being high severity/risk. If it weren't a false positive it could be exploitable for RCE after all.
I'm just annoyed that it wasted my time by flagging sketchy evidence of an possible exploit as being stronger than it was. I wasted time I should've been spending on issues with better evidence.
silverwizard
Bee O'Problem
•The last point is important since the injection attempt was for a synchronous sleep which presumably is meant to cause the server's response to be slow.
The problem is that on repeated attempts the response was not delayed at all.