1

For educational purposes, I am pentesting an app server of mine. I am using ZAP and it reports a remote file inclusion vulnerability. I looked at it and think its a false positive but before I miss something I wanted to ask the community:

ZAP Report:

URL:        https://myapplication.net/home/logoff?target=http%3A%2F%2Fwww.google.com%2F
Method:     GET
Parameter:  target
Attack:     http://www.google.com/
Evidence:   <title>Google</title>

Result: When executing the link I am forwarded to *oogle

Question But how can this be an RFI? It might be an unchecked external redirect, ok but RFI? RFI for me is the injection of a malicious file and the execution of it - or what am I missing?

Update: curl -I prints

HTTP/1.1 302 Found
Date: Thu, 03 Dec 2020 16:32:37 GMT
Server: Apache
Location: http://www.google.com/
Via: 1.1 someInternalServer1.net
Vary: User-Agent
Via: 1.1 someInternalServer2.net
Lonzak
  • 413
  • 1
  • 4
  • 8
  • What headers is sent? What does `curl -I https://myapplication.net/home/logoff?target=http%3A%2F%2Fwww.google.com%2F` provide? – vidarlo Dec 03 '20 at 16:26
  • Updated the question with the values – Lonzak Dec 03 '20 at 16:38
  • Have you tried running the ZAP Desktop vs your app? ZAP seems to have found a Google like title, so would be interesting to see whats shown in the response in ZAP. – Simon Bennetts Dec 03 '20 at 17:16

0 Answers0