I was doing a vulnerability scan of my ClassicPress website using Skipfish. Skipfish found a SQL injection vector vulnerability and the URL looks like this:
This is the post that triggered the vulnerability.
My JavaScript code handles the button clicks so nothing is submitted to my web server. It’s only for testing user’s knowledge of how to do IPv4 subnetting. There are other similar sites that do this as well.
Should I treat the vulnerability as a false positive? Can I throw a 404 error if one of the queries is used? I have developed my custom theme for my ClassicPress website if that helps.
The reason why I’m asking is I was doing some penetration testing in order to make sure my website remains secure from vulnerabilities.
I am not sure how Skipfish decides whether or not something is really a vulnerability, we would have to take a look at the code behind the site in order to be sure.
This part jumped out at me though. You may already know this, but JavaScript code is never enough to prevent a server-side vulnerability. If someone is trying to hack your website they can use any number of methods to bypass your JavaScript validation, and the user input must be validated again on the server side.
I have edited your original post to obscure the details of the vulnerability, since if it is a real issue, you don’t want that staying around in public. Feel free to send me a private message if you’d like to investigate this in more detail.
Inside the zip file is a self-contained HTML code which contains embedded JavaScript. The vulnerability is not about ClassicPress, but how my HTML code along with JavaScript code is setup.
Ok, I see. If there is no server-side code handling this form, then the vulnerability is a false positive. I wouldn’t bother doing anything about this personally, but you can always add some code like this to your theme, behind an if ( isset( $_GET['ipnetmask'] ) ) or similar check: redirect - How to force a 404 on WordPress - WordPress Development Stack Exchange
It seems like I need to do my own investigation rather than just rely solely in a vulnerability scanner when doing a penetration testing for my website. The vulnerability scanner has no idea whether if a code for the form is client-side or server side.
I’m just trying to learn as much about cybersecurity in regards to penetration testing and how to defend against vulnerabilities to my website. That’s all.
Here is the best article I have come across so far that explains some of the different kinds of web vulnerabilities and how to prevent them: Securing Your Site like It’s 1999 ◆ 24 ways
Other than that, maybe see if you can get your hands on a course that has examples of insecure code. Write exploits for the vulnerabilities, then learn how to fix them properly, by using an appropriate sanitizing or escaping technique. I don’t have a recommendation for this unfortunately, but there is probably something decent on Coursera or similar sites.
