tags:

views:

16

answers:

1
+1  Q: 

Understanding Wapiti results

I ran Wapiti on my webserver. I dump the database before and after, deleted the last line which is the timestamp and found both files have me the same hash value so i know the database hasnt been changed.

But according to the report i failed a number of test. And this is the data in the info

500 HTTP Error code.
Internal Server Error. The server encountered an unexpected condition which prevented it from fulfilling the request.

    * World Wide Web Consortium: HTTP/1.1 Status Code Definitions
    * Wikipedia: List of HTTP status codes

It appears each and every one of these are caused by ill-formed strings that ASP.NET does not like (note i use a debian machine with xsp to host. It works well).

Should i not care what the generated reports say? should i only check if anything was changed or anything was corrupted by manually looking through the pages?

    SQL Injection (1)   Blind SQL Injection (2)     File Handling (3)   Cross Site Scripting (4)    CRLF (5)    Commands execution (6)  Resource consumption (7)    Htaccess Bypass (8)     Backup file (9)     Potentially dangerous file (10) 
High    14  14  13  0   0   14  0   0   0   0
Medium  0   0   0   0   0   0   0   0   0   0
Low     0   0   0   0   0   0   0   0   0   0
A: 

The database restoration is a very good idea. You do need a populated database to get proper code coverage. You also need to make sure that error reporting is enabled, nasty input must cause a sql error or wapiti might not find it. Wapiti does have blind sql injection testing, but its not as accurate.

I would look at the normal output from a ./wapiti.py http://yourdomain.com, this will list all of the vulnerabilities found and then you can patch them. After you do your first round of patching, re-run wapiti to make sure the patches work. The reports it generates are mostly meant for managers and the like who don't know what vulnerability is, they just want to know if they are safe or not. SQL Injection probably won't corrupt the database or any of the pages, Wapiti does do stored xss testing and this will corrupt a page, but if you are restoring the database then everything should be fine.

Rook  2010-09-10 17:27:19
It appears all are because xsp/mono/apache doesnt like the input string. AFAIK everything was fine. I looked at the normal output but unfortunately i dont remember what it said. So i think i am fine.
acidzombie24  2010-09-11 00:23:28
@acidzombie24 That sounds unlikely. It is seeing a SQL error due to nasty input, A general error will not produce a false positive. Its more likely that your escape method is weak. Just out of curiosity did you roll your own escape routines? Are you using them properly? Even mysql_real_escape_string() can be misused...
Rook  2010-09-11 00:26:32

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps