Possible false positive: wordpress xili language plugin xss vulnerability

meredith · October 22, 2023, 8:51pm

The vulnerability “WordPress Xili Language Plugin XSS Vulnerability” is reported.
id = 1.3.6.1.4.1.25623.1.0.803600

This plugin is not installed on the server, but the newest wpml plugin.

The nasl file is opening the url. If I test this link on my browser, there is no “alert” message.

url = dir + "/?lang=%22><script>alert(12345)</script>";

if(http_vuln_check(port:port, url:url, check_header:TRUE,
   pattern:"<script>alert\(12345\)</script>"))
{
  report = http_report_vuln_url(port:port, url:url);
  security_message(port:port, data:report);
  exit(0);
}

Is this a false positive?

cfi · October 25, 2023, 3:26pm

Only a few short more generic notes:

Answering “is this a false positive” is usually only possible when having direct access to the target and in most cases it is the responsibility of the user to verify/clarify this
Most modern browsers AFAICT have build-in XSS protection so opening the URL might not always “trigger” the XSS
The VT in question is doing / checking the flaw in a generic way so any other plugin besides Xili Language could be affected as well
Such older XSS VTs (this one is from 2013) might be a little bit more false positive prone so there is a chance of a false positive

rippledj · October 26, 2023, 3:32am

I’m curious about how NASL pattern: function works. I know that OWASP ZAP Proxy gives false positives for XSS exploitation when the “payload” is reflected in the page such as when it’s included as an error output. I’ve even seen this error in the “invisible” parts of the page. Try loading the source code from the page and search for the pattern manually - you might find out what’s going on.

Lukas · October 26, 2023, 8:42am

Please note this forums is not a free resource of security consulting. If you are in question and you are not able to judge this, i would strongly advise to get professional help on this topic. As far as the community can help you CFI responded to your question.

meredith · October 26, 2023, 6:24pm

Me too. This could be the hint, no error but the payload is in the page’s source code as a link multiple times.

rippledj · October 26, 2023, 10:34pm

Yes, OWASP ZAP also commonly has this false positive.

cfi · October 31, 2023, 9:36am

What could be done from Greenbone side is:

Lower the QoD to remote_analysis to make it more clear that additional user verification is required for such active XSS flaws (from 11 Reports and Vulnerability Management — Greenbone Enterprise Appliance 22.04.17 documentation):

Remote checks that perform some analysis, but may not always be completely reliable depending on environmental conditions. Narrowing down suspected false-positive or false-negative edge cases may require analysis by the user (see Chapter 11.8).
Make the response pattern check in the VT in question a little bit more strict to only report if it matches the response of an affected plugin installation

Notes:

Nr. 1 has been been already done and should be already included in the feed
Doing / adding the more strict response check might take quite some time and it won’t guarantee that the target in question is actually not affected. It is still required by the OP to verify that the system in question is not vulnerable