GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 01:45:22 JST Bee O'Problem :godot: Bee O'Problem :godot:

    Today in What Grinds my Gears:
    When a ZAP scan flags a "high severity, high confidence" issue based on literally nothing.

    ZAP: sends a request with a hinky query string
    Server: ignores all query strings
    ZAP: OMG BLIND SERVER SIDE INJECTION INTO A NONEXISTENT TEMPLATE ENGINE!!!!!11one

    As in previous "What Grinds my Gears" I really don't get why these scanning tools assign ridiculously high confidence values to issues where there's no evidence the vulnerable component exists.

    In conversation Tuesday, 29-Aug-2023 01:45:22 JST from mastodon.gamedev.place permalink
    • Embed this notice
      silverwizard (silverwizard@convenient.email)'s status on Tuesday, 29-Aug-2023 01:45:19 JST silverwizard silverwizard
      in reply to
      @beeoproblem The main thing is that automated scanning doesn't really assign confidence, it assigns what someone should check
      In conversation Tuesday, 29-Aug-2023 01:45:19 JST permalink
    • Embed this notice
      Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 01:45:21 JST Bee O'Problem :godot: Bee O'Problem :godot:
      in reply to

      To be safe I even wasted my time checking the server itself and the entire stack has literally zero interaction with the query string whatsoever.

      I'm mainly angry due to the absurd "high" confidence ZAP is assigning the flag.

      First: ZAP has no knowledge of the server's implementation. There's no way to tell a "blind" injection even exists.

      Second: The evidence something bad happened is NOTHING. It's just as likely the input didn't do anything.

      Third: Response time was unchanged

      In conversation Tuesday, 29-Aug-2023 01:45:21 JST permalink
    • Embed this notice
      silverwizard (silverwizard@convenient.email)'s status on Tuesday, 29-Aug-2023 02:15:14 JST silverwizard silverwizard
      in reply to
      @beeoproblem I mean - the main point being that it tells you a severity, but that's not a universal severity, it's a severity for the external world
      In conversation Tuesday, 29-Aug-2023 02:15:14 JST permalink
    • Embed this notice
      Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 02:15:15 JST Bee O'Problem :godot: Bee O'Problem :godot:
      in reply to
      • silverwizard

      @silverwizard ZAP seems to for some reason. It'd be much better if it didn't

      In conversation Tuesday, 29-Aug-2023 02:15:15 JST permalink
    • Embed this notice
      silverwizard (silverwizard@convenient.email)'s status on Tuesday, 29-Aug-2023 02:33:04 JST silverwizard silverwizard
      in reply to
      @beeoproblem Yeah - I get that. Automation just sucks.
      In conversation Tuesday, 29-Aug-2023 02:33:04 JST permalink
    • Embed this notice
      Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place)'s status on Tuesday, 29-Aug-2023 02:33:05 JST Bee O'Problem :godot: Bee O'Problem :godot:
      in reply to
      • silverwizard

      @silverwizard Yeah. I have no objections to the flag being high severity/risk. If it weren't a false positive it could be exploitable for RCE after all.

      I'm just annoyed that it wasted my time by flagging sketchy evidence of an possible exploit as being stronger than it was. I wasted time I should've been spending on issues with better evidence.

      In conversation Tuesday, 29-Aug-2023 02:33:05 JST permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.