Conversation

Notices

Embed this notice
Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 01:45:22 JST Bee O'Problem :godot:

Today in What Grinds my Gears:
When a ZAP scan flags a "high severity, high confidence" issue based on literally nothing.
ZAP: sends a request with a hinky query string
Server: ignores all query strings
ZAP: OMG BLIND SERVER SIDE INJECTION INTO A NONEXISTENT TEMPLATE ENGINE!!!!!11one
As in previous "What Grinds my Gears" I really don't get why these scanning tools assign ridiculously high confidence values to issues where there's no evidence the vulnerable component exists.

In conversation Tuesday, 29-Aug-2023 01:45:22 JST from mastodon.gamedev.place permalink
- Embed this notice
  silverwizard (silverwizard@convenient.email)'s status on Tuesday, 29-Aug-2023 01:45:19 JST silverwizard
  in reply to
  
  @beeoproblem The main thing is that automated scanning doesn't really assign confidence, it assigns what someone should check
  
  In conversation Tuesday, 29-Aug-2023 01:45:19 JST permalink
- Embed this notice
  Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 01:45:21 JST Bee O'Problem :godot:
  in reply to
  
  To be safe I even wasted my time checking the server itself and the entire stack has literally zero interaction with the query string whatsoever.
  I'm mainly angry due to the absurd "high" confidence ZAP is assigning the flag.
  First: ZAP has no knowledge of the server's implementation. There's no way to tell a "blind" injection even exists.
  Second: The evidence something bad happened is NOTHING. It's just as likely the input didn't do anything.
  Third: Response time was unchanged
  
  In conversation Tuesday, 29-Aug-2023 01:45:21 JST permalink
- Embed this notice
  silverwizard (silverwizard@convenient.email)'s status on Tuesday, 29-Aug-2023 02:15:14 JST silverwizard
  in reply to
  
  @beeoproblem I mean - the main point being that it tells you a severity, but that's not a universal severity, it's a severity for the external world
  
  In conversation Tuesday, 29-Aug-2023 02:15:14 JST permalink
- Embed this notice
  Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 02:15:15 JST Bee O'Problem :godot:
  in reply to
  - silverwizard
  @silverwizard ZAP seems to for some reason. It'd be much better if it didn't
  
  In conversation Tuesday, 29-Aug-2023 02:15:15 JST permalink
- Embed this notice
  silverwizard (silverwizard@convenient.email)'s status on Tuesday, 29-Aug-2023 02:33:04 JST silverwizard
  in reply to
  
  @beeoproblem Yeah - I get that. Automation just sucks.
  
  In conversation Tuesday, 29-Aug-2023 02:33:04 JST permalink
- Embed this notice
  Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 02:33:05 JST Bee O'Problem :godot:
  in reply to
  - silverwizard
  @silverwizard Yeah. I have no objections to the flag being high severity/risk. If it weren't a false positive it could be exploitable for RCE after all.
  I'm just annoyed that it wasted my time by flagging sketchy evidence of an possible exploit as being stronger than it was. I wasted time I should've been spending on issues with better evidence.
  
  In conversation Tuesday, 29-Aug-2023 02:33:05 JST permalink

Public

Notices

Feeds