OWASP ZAP 扫描 returns "Application Error Disclosure" 到 javascript 库。是假阳性吗?如何证明或修复?
OWASP ZAP scan returns "Application Error Disclosure" to javascript library. Is it false positive? How to proove that or fix?
使用 OWASP ZAP 2.8.0 自动扫描后,我有 "Application Error Disclosure" 和 javascript 文件(moxiejs 库)。网站基于更新到最新版本的wordpress。
如何修复此漏洞?还是误报?
Medium (Medium) Application Error Disclosure
Description
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
URL http://x.x.x.x/wordpress/wp-includes/js/plupload/moxie.min.js?ver=1.3.5
Method GET
Evidence Internal Server Error
Instances 1
Solution
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
Reference
CWE Id 200
WASC Id 13
Source ID 3
我发现 moxiejs 脚本包含字符串 "Internal Server Error",示例 ( https://raw.githubusercontent.com/WordPress/WordPress/master/wp-includes/js/plupload/moxie.min.js )。 ZAP 是否通过搜索错误文本进行检查?
是的,这是误报,因为 ZAP 扫描了一个 JS-URL,其中包含 RuntimeError: '500:Internal Server Error' 等关键字,这就是您收到此误报消息的原因。
使用 OWASP ZAP 2.8.0 自动扫描后,我有 "Application Error Disclosure" 和 javascript 文件(moxiejs 库)。网站基于更新到最新版本的wordpress。 如何修复此漏洞?还是误报?
Medium (Medium) Application Error Disclosure
Description
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
URL http://x.x.x.x/wordpress/wp-includes/js/plupload/moxie.min.js?ver=1.3.5
Method GET
Evidence Internal Server Error
Instances 1
Solution
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
Reference
CWE Id 200
WASC Id 13
Source ID 3
我发现 moxiejs 脚本包含字符串 "Internal Server Error",示例 ( https://raw.githubusercontent.com/WordPress/WordPress/master/wp-includes/js/plupload/moxie.min.js )。 ZAP 是否通过搜索错误文本进行检查?
是的,这是误报,因为 ZAP 扫描了一个 JS-URL,其中包含 RuntimeError: '500:Internal Server Error' 等关键字,这就是您收到此误报消息的原因。