Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: avoid false positives in prestashop SQLi #11093

Merged
merged 6 commits into from
Nov 22, 2024
Merged

fix: avoid false positives in prestashop SQLi #11093

merged 6 commits into from
Nov 22, 2024

Conversation

gnuletik
Copy link
Contributor

Template / PR Information

PR #10739 introduced three new templates for Prestashop based on SQL injection with time-based matchers.

This PR is an attempt to avoid false positives with these new templates.
I've included changes to increase the timeout and add body response (when I was able to reproduce the vulnerability).

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

@GeorginaReeder
Copy link

Thanks for your contribution @gnuletik ! :)

@mastercho
Copy link
Contributor

Increasing time won't avoid false positive, that's related with your setup, also on last template

contains(body, "Error while creating the alert") is wrong because some versions of plugin just throws 500 status with empty response.

You can provide sites with FP to PD template team so they can investigate.

@gnuletik
Copy link
Contributor Author

@mastercho Thanks for the feedback!

I agree that increasing time doesn't remove false positives in a reliable way.
However, from multiple tests we've made, we've seen that Prestashop websites are usually slow and increasing the value from what we've set in this PR greatly reduce the occurrence of false-positives.

I haven't seen version of the plugin that returns 500 status code with empty response but that's quite interesting!
Would you consider this change if we match with the following conditions:

  • 500 status code
  • "empty response" OR contains(body, "Error while creating the alert")

Thanks!

@mastercho
Copy link
Contributor

@mastercho Thanks for the feedback!

I agree that increasing time doesn't remove false positives in a reliable way. However, from multiple tests we've made, we've seen that Prestashop websites are usually slow and increasing the value from what we've set in this PR greatly reduce the occurrence of false-positives.

I haven't seen version of the plugin that returns 500 status code with empty response but that's quite interesting! Would you consider this change if we match with the following conditions:

  • 500 status code
  • "empty response" OR contains(body, "Error while creating the alert")

Thanks!

Specially my templates are tested on 300+ vuln targets fetched from Fofa.info and Shodan. Then PD template team also tested and confirmed and 500 status code ones was also provided to them. Not specific for these templates but usually when you run big list in nuclei it's always overloads your system and sometimes when there is tons of requests going its takes time complete request on Time Based SQLi templates and can detect as False Positive they will add better matchers for that in feature. Before i push my template i test them on 3 different setups 3 different locations. Also i don't remember which but some WAFs was bypassed with 5 seconds on time based only and would detect other times. CVE-2024-36683 Specifically also spams admins email that someone procs this endpoint. So they can fix it pretty quick and you think is False Positive

@ritikchaddha
Copy link
Contributor

Hello @gnuletik and @mastercho, based on your discussion, I made some changes to the template. Please let me know if it looks good to you.

@mastercho
Copy link
Contributor

Hello @gnuletik and @mastercho, based on your discussion, I made some changes to the template. Please let me know if it looks good to you.

CVE-2024-36683.yaml matchers are totally wrong, i won't go back to our long conversations about it with you because im tired to repeat everytime same thing. Its was just fixed in recent version and you broke it again to give false negatives...

@ritikchaddha ritikchaddha added the Done Ready to merge label Nov 21, 2024
@mastercho
Copy link
Contributor

@ritikchaddha can you at least fix false negative matcher contains(body, "Error while creating the alert") as you state readed our discussion here?

@ritikchaddha
Copy link
Contributor

The matcher contains(body, "Error while creating the alert") is in matchers-condition: or, so there should not be any problem.

@ritikchaddha ritikchaddha merged commit e8ce328 into projectdiscovery:main Nov 22, 2024
3 checks passed
@mastercho
Copy link
Contributor

The matcher contains(body, "Error while creating the alert") is in matchers-condition: or, so there should not be any problem.

          - 'duration>=8'
          - 'contains(body, "Error while creating the alert")'

duration_1 or 2? body_1 or body_2 in which we are looking to match these?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritikchaddha ritikchaddha ritikchaddha approved these changes

Assignees

@ritikchaddha ritikchaddha

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gnuletik @GeorginaReeder @mastercho @ritikchaddha