WORDFENCE – OWASP ZAP Scan Fails or Succeed??

  • 3 weeks ago, my WordPress site has no WordFence installed. I am usually using the ZAP OWASP to know if there are security vulnerabilities in a site. I did OWASP ZAP scan (using traditional spider and ajax spider) to the site, and the result has SQL injection and Path Traversal high vulnerabilities.
    I tried some research and it needs a firewall to prevent the vulnerabilities mentioned. I installed the WordFence Free and activated it. Did another OWASP ZAP scan, the OWASP ZAP scanning did not finished. It might have been blocked by WordFence Free. I repeat again the OWASP ZAP scan to the site with newly installed WordFence, and on the second time, the OWASP scan did not finished again. So I concluded that WordFence was blocking the OWASP scan SQL injection and Path Traversal high vulnerabilities attacks.

    But after few weeks, I tried to do an OWASP ZAP scan again on the site with activated WordFence Free. The result was the SQL injection and Path Traversal high vulns appeared in the OWASP ZAP result. I tried to manually refresh rules of the WordFence Free Firewall. Then I did another OWASP ZAP scan, there were no SQL injection and Path Traversal appeared because WordFence is blocking the OWASP. Then after 2 days, I tried again the OWASP Scan, there was SQL injection and Path Traversal appeared in the result of OWASP.

    Why is there no consistency of the WordFence blocking the simulated attacks of OWASP ZAP scan? Is it because the WordFence is free?

    • This topic was modified 1 year, 9 months ago by James Huff.
    • This topic was modified 1 year, 9 months ago by liam123sky.
    • This topic was modified 1 year, 9 months ago by liam123sky.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter liam123sky

    (@liam123sky)

    In addition, here is the summary result of the OWASP scan.

    https://www.dropbox.com/scl/fi/9i9l6ejb11prhen3o784j/Screenshot_1.jpg?dl=0&rlkey=00k8hedyf1smzw2fbz17zu8t2

    <User opened a new post about this. Adding the information here and closing the other post. Please do not make duplicate posts. Thanks! Mia>

    I did an OWASP scan in a site (WordFence Free activated) it has result of high security vulnerability like SQL Injection. It means the OWASP is successful in sending the attack to the site. But the WordFence sends me emails that it blocked the SQL Injection attack. Do you have idea if it really the WordFence is blocking the SQL Injection attack even the OWASP ZAP report says it has vulnerability?

    Thread Starter liam123sky

    (@liam123sky)

    additional question: I did an OWASP scan in a site (WordFence Free activated) it has result of high security vulnerability like SQL Injection. It means the OWASP is successful in sending the attack to the site. But the WordFence sends me emails that it blocked the SQL Injection attack. Do you have idea if it really the WordFence is blocking the SQL Injection attack even the OWASP ZAP report says it has vulnerability?

    Thanks. I’m waiting for the QA team to look at this before I answer.

    Mia

    Hi Liam,

    Exploiting a vulnerability requires several conditions:

    1. A vulnerable software component running on your site
    2. An attack that can successfully exploit that vulnerable component
    3. Nothing stopping the attack from exploiting the vulnerability

    Automated outside-in vulnerability scans such as Nessus tend to try a huge range of exploits and are highly prone to false positive results that require experience to interpret. OWASP ZAP is useful but not nearly as well-maintained and significantly more prone to false positive results than other offerings, and unless it is using a ruleset specifically designed for WordPress it is unlikely to detect meaningful vulnerabilities (and even then runs into the same issues as other scanners such as Nessus).

    In addition to this more general set of issues, many automated vulnerability scanners will test for vulnerabilities across a wide range of systems. For instance, such a scanner might try sending out SQL injection attempts designed to attack different database systems, such as Microsoft SQL, MySQL, and others.

    As WordPress runs on MySQL/MariaDB, an attack designed to exploit Microsoft SQL cannot work against WordPress, and so the Wordfence firewall would not block it because there are no vulnerable components for such an attack to exploit.

    If ZAP is indicating the presence of a particular vulnerability that is not being blocked it may be worth additional investigation, but the results you’re currently seeing are very generic and do not provide sufficient information to do so.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WORDFENCE – OWASP ZAP Scan Fails or Succeed??’ is closed to new replies.