Blind XPath Injection

  • Running Qualys WAS scan report will generate an “High Security Risk” on the
    /wp-admin/admin-ajax.php endpoint with a parameter “aslp” which is this plug-in. The report is:
    “It has been detected by exploiting the parameter aslp
    The payloads section will display a list of tests that show how the param could have been exploited to collect the information. This vulnerability was identified using the difference in responses for TRUE and FALSE payloads. This vulnerability is confirmed based on the difference in the response content (detected using fuzzy match).
    Content of all TRUE responses differ from FALSE responses (detected using fuzzy match).”

    The full POST parameters are (as true):

    action=ajaxsearchlite_search&aslp=%20or%20true()%20or%20%27and%27%20%3D%20%27and%27%20&asid=2&options=qtranslate_lang%3D0%26set_intitle%3DNone %26set_incontent%3DNone%26set_inexcerpt%3DNone%26set_inposts%3DNone%26set_inpages%3DNone%26customset%255B%255D%3Dproducten%26categoryset%255B%255D %3D19%26categoryset%255B%255D%3D18%26categoryset%255B%255D%3D5%26categoryset%255B%255D%3D23%26categoryset%255B%255D%3D16%26categoryset%255B%255D %3D14%26categoryset%255B%255D%3D17%26categoryset%255B%255D%3D1%26categoryset%255B%255D%3D15%26categoryset%255B%255D%3D20

    and (as false):
    action=ajaxsearchlite_search&aslp=%20and%20false()%20and%20%27or%27%20%3D%20%27and%27%20&asid=2&options=qtranslate_lang%3D0%26set_intitle%3DNone%26set_incontent%3DNone %26set_inexcerpt%3DNone%26set_inposts%3DNone%26set_inpages%3DNone%26customset%255B%255D%3Dproducten%26categoryset%255B%255D%3D19%26categoryset%255B%255D %3D18%26categoryset%255B%255D%3D5%26categoryset%255B%255D%3D23%26categoryset%255B%255D%3D16%26categoryset%255B%255D%3D14%26categoryset%255B%255D %3D17%26categoryset%255B%255D%3D1%26categoryset%255B%255D%3D15%26categoryset%255B%255D%3D20

    Anyone has any ideas? WP version is 5.3, plug-in versions is 4.8

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author wpdreams

    (@wpdreams)

    Hi!

    This looks like a false positive detection. Basically the test tried to enter different parameters as the search string:

    1. or true() or ‘and’ = ‘and’
    2. or false() and ‘or’ = ‘and’

    ..and I guess it expected the same output(?), that triggered the security detector.
    This is basically an SQL injection test, that checks the outputs of the two different inputs.

    You can safely whitelist this, as the aslp query argument is properly escaped agains SQL injcections.

    Best,
    Ernest M.

    Thread Starter editoo

    (@editoo)

    Hi,

    Apparently Qualys doesn’t agree with you (at least their testing tool doesn’t). Passing the Qualys test-suite (not having high-security risks) unfortunately is a requirement for certification for webshops in the Netherlands. I have requested the company that runs the test to further look into this and see if this indeed can be white listed. Unless you have a ‘3 lines of code’ solution I am afraid we will losse our certification.

    Kind regards,
    Leo

    • This reply was modified 5 years, 3 months ago by editoo.
    • This reply was modified 5 years, 3 months ago by editoo.
    Plugin Author wpdreams

    (@wpdreams)

    Hi Leo,

    There is nothing to solve I’m afraid, as this is a false positive. I have re-tested the exact same requests via fetch() as well as power shell, and got the expected responses – I also monitored the query executed during the requests, and everything was perfectly fine.

    The test passes search phrase arguments, as I wrote before – and one of them may yield a result (either valid search results or keyword suggestions), and the other may not – thus the resulting response is of course different from one another.

    As their testing tool wrote:

    This vulnerability is confirmed based on the difference in the response content (detected using fuzzy match).
    Content of all TRUE responses differ from FALSE responses (detected using fuzzy match).

    Their tool expects the two queries to yield the same resulting response content – and that is an incorrect assumption. Two differrent responses to two different queries is perfectly fine in this case, as we are talking about a search request, which may return different results to different parameters.
    Unless I am missinterpreting something, this is a false positive.

    Best,
    Ernest M.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blind XPath Injection’ is closed to new replies.