Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive issues #1

Open
MolowoXyz opened this issue Apr 15, 2022 · 2 comments
Open

False positive issues #1

MolowoXyz opened this issue Apr 15, 2022 · 2 comments

Comments

@MolowoXyz
Copy link

When i used your tool,it gives false positives to the website i scanned.I thought it is zero false positive.Kindly improve on the tool because of your reputation.

@stefan-stojanovic-s
Copy link

There is no such tool that will give you 0% false positives. That's why you use more than one tool for the job.
This is not an issue, nor a problem related to repo. The tool is awesome

@derekmpage
Copy link

See https://github.com/fullhunt/spring4shell-scan/blob/master/spring4shell-scan.py#L160 - the tool says that unless it gets a HTTP 200 or HTTP 404, the system is vulnerable. This is a very bad assumption. How about a WAF or any other layer returning a 403 (access denied) or 400 (bad request)?

Applied following diff for better debugging:

diff --git a/spring4shell-scan.py b/spring4shell-scan.py
index 7c911a7..f25dd89 100755
--- a/spring4shell-scan.py
+++ b/spring4shell-scan.py
@@ -158,6 +158,7 @@ def test_url_cve_2022_22965(url):
data={parameter: value},
proxies=proxies)
if r.status_code not in (200, 404) and verify_base_request(url, "POST") != r.status_code:
+ print(r.status_code, url, {parameter: value})
return True
except Exception as e:
cprint(f"EXCEPTION: {e}")
@@ -171,6 +172,7 @@ def test_url_cve_2022_22965(url):
params={parameter: value},
proxies=proxies)
if r.status_code not in (200, 404) and verify_base_request(url, "GET") != r.status_code:
+ print(r.status_code, url)
return True
except Exception as e:
cprint(f"EXCEPTION: {e}")

Now we can see what is claimed vulnerable:

Run this payload in curl:

> curl -i -XPOST https://www.example.com/ -d "{'class.module.classLoader[2akirzr]': '2akirzr'}"
HTTP/2 403
server: Varnish
retry-after: 0
accept-ranges: bytes
date: Fri, 22 Apr 2022 13:49:45 GMT
content-length: 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants