Mark issues as false positive via command line
Michiel
Hi,
Is it possible to mark issues as false positive after a scan via
the command line?
I am now running the arachni command with some limitations but I
want to skip found false positives (or dont report them) next time
when I run the scan (via cron).
Is this possiblee or should I wait for the scheduler in the web
interface?
Regards,
Michiel
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tasos Laskos on Sep 20, 2013 @ 02:07 PM
No you can't, the CLI interface has no DB to store that sort of data.
However, if you've found FPs you should report them so that they can be fixed.
2 Posted by Michiel on Sep 20, 2013 @ 02:12 PM
Ok, the definition of a FP is a trusted found vulnerability or even a vulnerabiloty that needs manual reviewing?
We got 2 or 3 blind SQL injections that are trusted and I think they are False Positives.
If so, should I report them and tell them why they are FP?
Also we noticed that a lot of XSS attacks are FP because the alert XSS is found in the reponse but the < and > characters are encoded/escaped but they are not checked in the response and therfor marked for review.
Is it possible to make the XSS check better by checking for correct or incorrect escaping of all the XSS characters?
Support Staff 3 Posted by Tasos Laskos on Sep 20, 2013 @ 02:20 PM
Yeah you should definately report the SQL injection ones.
As for the XSS ones, only
xss_script_tagcan yield troublesome results, which is why it's set to always require manual verification. All the others can't return FPs as the response body is parsed into a DOM1 document and the modules check if the element they tried to inject appears in the document as a node.However, if you still think that these are FPs I wouldn't mind hearing more about them.
4 Posted by Michiel on Sep 20, 2013 @ 02:28 PM
Will do that.
I've asked more experienced security testers to confirm the vulnerability and I will report them as FP if they are indeed false positives with an explanation.
Regards,
Michiel
Support Staff 5 Posted by Tasos Laskos on Sep 22, 2013 @ 02:11 PM
Sounds good, either way, let me know how it goes.
Cheers
6 Posted by Michiel on Sep 24, 2013 @ 01:08 PM
Hi Tasos,
i want to share some confirmed and not confirmed/manual check results from a scan output with you.
Rather then posting them here (sensitive information), can I send you this information by email via a secure channel/option? (GPG/SMIME)
Ik got some feedback from our testers on the confirmed Blind SQL injections and the XSS we found in our scans.
Regards,
Michiel
Support Staff 7 Posted by Tasos Laskos on Sep 24, 2013 @ 01:15 PM
Hi Michiel,
Of course you can: tasos [dot] laskos @ gmail
Cheers
8 Posted by Michiel on Sep 24, 2013 @ 01:22 PM
Ok, mail sent.
Support Staff 9 Posted by Tasos Laskos on Sep 24, 2013 @ 04:42 PM
Closing this discussion since the conversation has moved to e-mail due to its sensitive nature.
Tasos Laskos closed this discussion on Sep 24, 2013 @ 04:42 PM.