I have a WordPress site that I manage. I recently received a Qualys vulnerability security scan (non-authenticated scan) that has a large number of "Path Based Vulnerability" findings. Almost all of the paths listed follow this format:
Some examples include:
https://www.example.com/search/admin https://www.example.com/search/bin
When I go to these URL's, I get an appropriate search page response stating, for example, "Search for Admin produced no results".
But, if I go to https://www.example.com/search/ without a string parameter, I get a 404 error (custom error page) stating the page could not be found. All this works like I would expect it to. No sensitive data/pages are being shown.
An example of the Qualys finding is:
150004 Path-Based Vulnerability URL: https://www.example.com/search/1/feed/rss2/ Finding # 8346060(130736429) Severity Confirmed Vulnerability - Level 2 Unique # redacted Group Path Disclosure Detection Date 22 Mar 2021 18:16 GMT-0400 CWE CWE-22 OWASP A5 Broken Access Control WASC WASC-15 APPLICATION MISCONFIGURATION WASC-16 DIRECTORY INDEXING WASC-17 IMPROPER FILESYSTEM PERMISSIONS CVSS V3 Base 5.3 CVSS V3 Temporal5 CVSS V3 Attack VectorNetwork
Details Threat A potentially sensitive file, directory, or directory listing was discovered on the Web server.
Impact The contents of this file or directory may disclose sensitive information.
Solution Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.
Detection Information Parameter No param has been required for detecting the information. Authentication In order to detect this vulnerability, no authentication has been required. Access Path Here is the path followed by the scanner to reach the exploitable URL: https://www.example.com https://www.example.com/?s=1
Payloads
#1 #1 Request GET https://www.example.com/search/tools/ Referer: https://www.example.com Cookie: [removed in case its sensitive]; caosLocalGa= [removed in case its sensitive]; Host: https://www.example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1
Safari/605.1.15 Accept: /
Based on the findings, this seems to be a false positive. But, my CIO insists that I prove it as such. First, is there any documentations on this that might be helpful? Second, does anyone know of any updates to WP that could hide/remove these findings?
(I'd comment, but my rep isn't high enough.)
I can partially answer this, as I fighting the same battle right now with a different web app. If you run the request in a browser with the developer tools on, I'll bet you'll see the response code from the server is 200 even though it is actually doing a redirect.
The scanner sees the response code is OK and based on that, the request succeeded as is when it really didn't. You have to give it a different response code when doing a "silent" redirect.