How to Trigger 404 When URL Query Is Invalid?

I was doing a vulnerability scan of my ClassicPress website using Skipfish. Skipfish found a SQL injection vector vulnerability and the URL looks like this:

https://graysonpeddie.com/?ipnetmask=1&ipnetwork=1&iphoststart=1&iphostend=1&(...)

This is the post that triggered the vulnerability.

My JavaScript code handles the button clicks so nothing is submitted to my web server. It’s only for testing user’s knowledge of how to do IPv4 subnetting. There are other similar sites that do this as well.

Should I treat the vulnerability as a false positive? Can I throw a 404 error if one of the queries is used? I have developed my custom theme for my ClassicPress website if that helps.

The reason why I’m asking is I was doing some penetration testing in order to make sure my website remains secure from vulnerabilities.

1 Like

I am not sure how Skipfish decides whether or not something is really a vulnerability, we would have to take a look at the code behind the site in order to be sure.

This part jumped out at me though. You may already know this, but JavaScript code is never enough to prevent a server-side vulnerability. If someone is trying to hack your website they can use any number of methods to bypass your JavaScript validation, and the user input must be validated again on the server side.

I have edited your original post to obscure the details of the vulnerability, since if it is a real issue, you don’t want that staying around in public. Feel free to send me a private message if you’d like to investigate this in more detail.

1 Like

Here’s a zip file that can be downloaded from here: https://graysonpeddie.com/downloads/netutils/ipv4subnet.zip

Inside the zip file is a self-contained HTML code which contains embedded JavaScript. The vulnerability is not about ClassicPress, but how my HTML code along with JavaScript code is setup.

1 Like

Ok, I see. If there is no server-side code handling this form, then the vulnerability is a false positive. I wouldn’t bother doing anything about this personally, but you can always add some code like this to your theme, behind an if ( isset( $_GET['ipnetmask'] ) ) or similar check: https://wordpress.stackexchange.com/a/92176/64369

1 Like

It seems like I need to do my own investigation rather than just rely solely in a vulnerability scanner when doing a penetration testing for my website. The vulnerability scanner has no idea whether if a code for the form is client-side or server side.

I’m just trying to learn as much about cybersecurity in regards to penetration testing and how to defend against vulnerabilities to my website. That’s all.

1 Like

Great :slight_smile:

Here is the best article I have come across so far that explains some of the different kinds of web vulnerabilities and how to prevent them: https://24ways.org/2018/securing-your-site-like-its-1999/

Other than that, maybe see if you can get your hands on a course that has examples of insecure code. Write exploits for the vulnerabilities, then learn how to fix them properly, by using an appropriate sanitizing or escaping technique. I don’t have a recommendation for this unfortunately, but there is probably something decent on Coursera or similar sites.

2 Likes

Join HackerOne and you get a free ebook about hacking, which explains how to find them and fix them.

2 Likes

Thanks everyone.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.