1

Web Application Vulnerability and Potential False Positives

As a Penetration Tester the application vulnerability scan is a major part of any penetration testing methodology. In the Application Scanning stage there are are several different types of vulnerabilities that may surface. The main ones being...

SQL injection/blind SQL injection, cross-site scripting/persistent cross-site scripting, command injection, XPath injection, SOAP/AJAX attacks, CSRF/HTTP response splitting, arbitrary file upload attacks, remote file include (PHP code injection), application errors.....etc (I may have left some out, please don't grill me if I neglected to mention them above)

When using a scanner you can rest assured to encounter a false positive. In my experience the SQL injection vulnerability is what's going to harbor the most false positives.

False positives are a nasty byproduct of using scanners that are created to save time. I haven't found a subject that directly touches on this subject and wanted to start a brief Q & A.

So here is the point of this entire post: When faced with the scan output and a potential vulnerability actually being a false positive. What are effective measures of determining these "False Positives"(if not already designated as such),verifying them, and then correcting them?

I know there is an independent process for each vulnerability, but I'd like to focus on SQL injection and cross-site scripting initially.

Any help is appreciated...

Sh1nu11bi
  • 89
  • 6

2 Answers2

1

I personally see a lot of false positives with Cross Site Request Forgery.

This may not be the answer you're looking for, but you need to verify them to the best of your ability.

If you find something is beyond your ability you have a couple options:

  • learn how to do it - this of course takes time and experience, a luxury we don't always have
  • lean on a knowledgeable sysadmin
  • lean on a knowledgeable developer
  • lean on the vendor (if this is a 3rd party app) to confirm/deny the vulnerability

Vulnerability scans results can cover a wide range of technologies and platforms. You can't be expected to be an expert in all of them.

k1DBLITZ
  • 3,933
  • 14
  • 20
  • I'm pretty knowledgeable concerning Cross Site request forgery. It's just a challenge to recognize something based upon an ever expanding vulnerability database. But I agree with your logic as I understand it....examine the detection and determine if it is actually relevant based on help from other mediums. – Sh1nu11bi Oct 15 '14 at 21:14
1

Leveraging other specialty tools to help you verify reported or potential vulnerabilities can help a lot.

For example, using tools like XSS Validator to actually confirm JS execution.

For SQLi, I will often fire up multiple copies of SQLmap to test the different reported SQLi vectors while I work on other tasks.

There is probably no way to avoid manual work or investigation. Looser vulnerability checks often report false positives, but if you tighten them too much then you get false negatives. I think most tools strive for a reasonable balance.

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83