Use a lower severity level for potential ldap vulns

wapiti-scanner · Jul 30, 2024 · 28acda2 · 28acda2
1 parent ee08a96
commit 28acda2
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 1 deletion.
diff --git a/tests/attack/test_mod_ldap.py b/tests/attack/test_mod_ldap.py
@@ -8,6 +8,7 @@
 import httpx
 
 from wapitiCore.attack.attack import random_string
+from wapitiCore.language.vulnerability import CRITICAL_LEVEL, HIGH_LEVEL
 from wapitiCore.net.classes import CrawlerConfiguration
 from wapitiCore.net import Request
 from wapitiCore.net.crawler import AsyncCrawler
@@ -166,6 +167,7 @@ async def test_vulnerabilities():
         assert persister.add_payload.call_count == 2
         assert persister.add_payload.call_args_list[0][1]["module"] == "ldap"
         assert persister.add_payload.call_args_list[0][1]["category"] == "LDAP Injection"
+        assert persister.add_payload.call_args_list[0][1]["level"] == CRITICAL_LEVEL
         assert persister.add_payload.call_args_list[0][1]["request"].url == (
             "http://perdu.com/vuln?user=%2A%29%29%00nosuchvalue&password=bar"
         )
@@ -175,6 +177,7 @@ async def test_vulnerabilities():
 
         assert persister.add_payload.call_args_list[1][1]["module"] == "ldap"
         assert persister.add_payload.call_args_list[1][1]["category"] == "Internal Server Error"
+        assert persister.add_payload.call_args_list[1][1]["level"] == HIGH_LEVEL
         assert persister.add_payload.call_args_list[1][1]["request"].url == (
             "http://perdu.com/vuln?user=foo&password=nosuchvalue%29%29%00"
         )

diff --git a/tests/integration/test_mod_ldap/assertions/ldap.json b/tests/integration/test_mod_ldap/assertions/ldap.json
@@ -5,6 +5,7 @@
                 "method": "POST",
                 "path": "/login.php",
                 "info": "LDAP Injection via injection in the parameter user_id",
+                "level": 4,
                 "parameter": "user_id",
                 "module": "ldap",
                 "http_request": "POST /login.php HTTP/1.1\nhost: ldap\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://ldap/login.php\ncookie: PHPSESSID=fab84e2ce831e3a6f8b5449b046f98c6\ncontent-length: 71\nContent-Type: application/x-www-form-urlencoded\n\nuser_id=%2A%29%29%00nosuchvalue&password=Letm3in_&login=1&submit=Submit",
@@ -16,6 +17,7 @@
                 "method": "POST",
                 "path": "/login2.php",
                 "info": "LDAP Injection via injection in the parameter user_id",
+                "level": 4,
                 "parameter": "user_id",
                 "module": "ldap",
                 "http_request": "POST /login2.php HTTP/1.1\nhost: ldap\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://ldap/login2.php\ncookie: PHPSESSID=fab84e2ce831e3a6f8b5449b046f98c6\ncontent-length: 71\nContent-Type: application/x-www-form-urlencoded\n\nuser_id=%2A%29%29%00nosuchvalue&password=Letm3in_&login=1&submit=Submit",
@@ -27,6 +29,7 @@
                 "method": "POST",
                 "path": "/login2.php",
                 "info": "Potential LDAP injection via injection in the parameter password",
+                "level": 3,
                 "parameter": "password",
                 "module": "ldap",
                 "http_request": "POST /login2.php HTTP/1.1\nhost: ldap\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://ldap/login2.php\ncookie: PHPSESSID=fab84e2ce831e3a6f8b5449b046f98c6\ncontent-length: 65\nContent-Type: application/x-www-form-urlencoded\n\nuser_id=alice&password=%2A%29%00nosuchvalue&login=1&submit=Submit",
@@ -38,6 +41,7 @@
                 "method": "POST",
                 "path": "/search.php",
                 "info": "LDAP Injection via injection in the parameter searchTerm",
+                "level": 4,
                 "parameter": "searchTerm",
                 "module": "ldap",
                 "http_request": "POST /search.php HTTP/1.1\nhost: ldap\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://ldap/search.php\ncookie: PHPSESSID=fab84e2ce831e3a6f8b5449b046f98c6\ncontent-length: 34\nContent-Type: application/x-www-form-urlencoded\n\nsearchTerm=%2A%29%29%00nosuchvalue",
@@ -49,6 +53,7 @@
                 "method": "POST",
                 "path": "/search_exact.php",
                 "info": "LDAP Injection via injection in the parameter searchTerm",
+                "level": 4,
                 "parameter": "searchTerm",
                 "module": "ldap",
                 "http_request": "POST /search_exact.php HTTP/1.1\nhost: ldap\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://ldap/search_exact.php\ncookie: PHPSESSID=fab84e2ce831e3a6f8b5449b046f98c6\ncontent-length: 34\nContent-Type: application/x-www-form-urlencoded\n\nsearchTerm=%2A%29%29%00nosuchvalue",

diff --git a/tests/integration/test_mod_ldap/behavior.json b/tests/integration/test_mod_ldap/behavior.json
@@ -6,6 +6,7 @@
             "vulnerabilities": {
                 "LDAP Injection": [
                     {
+                        "level": 0,
                         "method": "",
                         "path": "",
                         "info": "",

diff --git a/wapitiCore/attack/mod_ldap.py b/wapitiCore/attack/mod_ldap.py
@@ -248,7 +248,7 @@ async def attack_parameter(
             else:
                 vuln_message = f"{vuln_info} via injection in the parameter {parameter.display_name}"
 
-            await self.add_critical(
+            await self.add_high(
                 request_id=original_request.path_id,
                 finding_class=LdapInjectionFinding,
                 request=warn_request,