views:

16

answers:

1

I ran Wapiti on my webserver. I dump the database before and after, deleted the last line which is the timestamp and found both files have me the same hash value so i know the database hasnt been changed.

But according to the report i failed a number of test. And this is the data in the info

500 HTTP Error code.
Internal Server Error. The server encountered an unexpected condition which prevented it from fulfilling the request.

    * World Wide Web Consortium: HTTP/1.1 Status Code Definitions
    * Wikipedia: List of HTTP status codes 

It appears each and every one of these are caused by ill-formed strings that ASP.NET does not like (note i use a debian machine with xsp to host. It works well).

Should i not care what the generated reports say? should i only check if anything was changed or anything was corrupted by manually looking through the pages?

    SQL Injection (1)   Blind SQL Injection (2)     File Handling (3)   Cross Site Scripting (4)    CRLF (5)    Commands execution (6)  Resource consumption (7)    Htaccess Bypass (8)     Backup file (9)     Potentially dangerous file (10) 
High    14  14  13  0   0   14  0   0   0   0
Medium  0   0   0   0   0   0   0   0   0   0
Low     0   0   0   0   0   0   0   0   0   0
A: 

The database restoration is a very good idea. You do need a populated database to get proper code coverage. You also need to make sure that error reporting is enabled, nasty input must cause a sql error or wapiti might not find it. Wapiti does have blind sql injection testing, but its not as accurate.

I would look at the normal output from a ./wapiti.py http://yourdomain.com, this will list all of the vulnerabilities found and then you can patch them. After you do your first round of patching, re-run wapiti to make sure the patches work. The reports it generates are mostly meant for managers and the like who don't know what vulnerability is, they just want to know if they are safe or not. SQL Injection probably won't corrupt the database or any of the pages, Wapiti does do stored xss testing and this will corrupt a page, but if you are restoring the database then everything should be fine.

Rook
It appears all are because xsp/mono/apache doesnt like the input string. AFAIK everything was fine. I looked at the normal output but unfortunately i dont remember what it said. So i think i am fine.
acidzombie24
@acidzombie24 That sounds unlikely. It is seeing a SQL error due to nasty input, A general error will not produce a false positive. Its more likely that your escape method is weak. Just out of curiosity did you roll your own escape routines? Are you using them properly? Even mysql_real_escape_string() can be misused...
Rook